Policy Type |
Access. There are no other policy types available for an Atlas
service. |
Policy Name |
255 character name that appears in the list of policies. Roles, users, and
groups also show up in the list, so it helps if your name includes the
operations or metadata that the policy controls. |
Policy Label |
Metadata you can include in the policy definition to help organize the
policies for a given service. The same label can be added to any number of
policies for the service. There is no limit to the number of characters in a
label, but only 28 characters display in the policy list. |
type-category menu |
The metadata or operation type ("resources" in Ranger terms) that the
policy applies to, including:
type-category
entity-type
atlas-service
relationship-type
|
type-category
option |
Choose this option to authorize actions generally against Atlas resource
types, including business metadata, classifications, enumerations, entities,
relationships, structures. With type-category selected,
options include: |
|
Type Name |
Refine the authorization to specific types within the named type category.
For example, to give users authorization to create Atlas Business Metadata,
choose type-category and the category Business
Metadata ; then set the Type Name to * . For example,
to authorize users to add values to an existing enum, such as
AtlasGlossaryTermRelationshipStatus , add this enum to the
Type Name and include the permission for "Update Type" in the Allow Condition.
To allow users to update any types within the type category, use
* .To determine the supported values, use the Atlas UI or
API to show the defined types. |
entity-type option |
Authorizes actions against specific entity types, individual entities,
entities identified by associated classifications, or entities identified by
associated metadata. For example, to authorize users to add classifications
or metadata to any Hive table entities, set the
entity-type to hive_table and set
additional options to * . With
entity-type selected, options include: |
|
Entity Classification |
Refines the list of entities in entity-type to those
associated with a specified classification. For example, to restrict
authorization to Hive tables that were marked with some classification that
indicates their readiness for use, set entity-type to
hive_table and include the identifying classification name
(e.g., Available ) in Entity Classification. |
|
Entity ID |
Refines the list of entities in entity-type to those
associated with a specified ID. When the detail page for an entity is open in
the Atlas UI, the last element of the browser URL indicates the entity ID.
|
|
classification |
Provides the option to authorize as to who can add, remove, and
update classification for an entity, even if the entities on which
classification have to be applied, which do not have classifications already
tagged to it, provided the entity-type,
Entity-ID and classification
on it matches the specified policy.
|
|
Metadata types selection |
Refines the list of entities in entity-type to those
associated with specific user-defined metadata, including:
entity-label
entity-business-metadata
classification
none
Set label names in the type entity-label to limit
the authorization policy to entities marked with any of those labels. Use
* to indicate any label. Set business metadata
collection names in the type entity-business-metadata
to limit the authorization policy to entities marked with metadata attributes
from that business metadata collection. Use * to indicate any
business metadata collections. |
atlas-service
option |
Authorizes the import and export Atlas entities and purge deleted entities
through the API. This privilege overrides specific privileges for entity-types.
Typically the users with this privilege are service users creating entities in
Atlas. |
relationship-type
option |
Authorizes the creation and update of Atlas relationships. You can identify
specific relationship types or use * to indicate any
relationship type. Typically the users with this privilege are service users
creating entities in Atlas. |
|
End1 Entity Type
End1 Entity Classification End1 Entity ID End2 Entity Type End2 Entity Classification End2 Entity ID |
Refines the relationship authorization to specific attributes of
relationships. "End1" and "End2" indicate the entities on each side of the
relationship. For example, you could use the End1 and End2 Entity Type options
to allow modification of relationships when one side of the relationship are
Hive tables and the other side Hive columns. |
Description |
Information that you add to help you remember the value of this policy. The
description can be up to 1000 characters. |
Audit Logging |
Enables Ranger's audit logging for this policy. There are other options in
Ranger's configuration that can conflict with this option, but generally if you
turn off this setting, Ranger enforces the policy but does not audit success or
failed actions against the policy. |
Allow Conditions |
Choose the roles, users, and/or groups and the permissions they can access
for the resources defined in the policy. If you need to include parts of
overlapping groups, add an exclude condition in addition to the allow condition.
For more information, see Ranger access
conditions. |
Deny Conditions |
Choose the roles, users, and/or groups and the permissions they cannot
access for the resources defined in the policy. |