Cloudera Docs

Adding a role through Ranger

How to add a role in Ranger.

What is a Role ? A role contains a set of users, groups, or other roles. You assign a role by adding a user, group or role to it. By adding multiple roles, you create a role hierarchy in which you manage permission sets at the role level.

Benefits that roles provide in a large environment:
  • A role may include many users or groups, all of which may be updated using a single command.
  • Adding or revoking a single permission to or from a role requires a single command, which also applies to all users and groups with that role.
  • Roles allow for some documentation about why a permission is granted or revoked.
Conceptually, a role functions as a collection. A group is a collection of users. You create a role and add users to it. Then, you grant that role to a group. Roles present an easier way to manage users and groups, based on specific access criteria.
A simple example of a role hierarchy follows:
  • FinReadOnly role, which gives read permission on all tables in the Finance database and is defined by a Ranger policy that grants read on database:Finance, table:* to the FinReadOnly role.
  • FinWrite role, which gives write permission on all tables in the Finance database and is defined by a Ranger policy that grants write on database:Finance, table:* to the FinWrite role.
  • FinReadWrite role, which role is granted both the FinRead and FinWrite roles and thereby inherits read and write permission to all tables in the Finance database.
  • FinReporting group whose users require only read permission to the Finance tables. FinReporting group is added to FinReadOnly role in Ranger.
  • FinDataPrep group whose users require only write permission to the Finance tables. FinDataPrep group is added to the FinWrite role in Ranger.
  • FinPowerUser group whose users require read and write permission to all Finance tables. FinPowerUsers group is added to the FinReadWrite role in Ranger.

You can create a role either through Ranger, or through Hive.

To add a role, the user must have Admin_Role privilege in Ranger.
To create a role through Ranger, using Ranger Admin Web UI:
  1. Select Settings > Roles.
    Users/Groups/Roles displays the Roles tab active.
    Roles appears with Roles List active
  2. Click Add New Role.
    The Role Detail page displays Role Create options.
    Role Details Page
  3. Enter a unique name for the role. Optionally, add users, groups and/or roles to be associated with the role, then click Save.