Ranger RMS (Hive-S3 ACL-Sync) Use Cases
This topic presents a few common use cases for Ranger RMS (Hive-S3 ACL-Sync).
Use Case 1: RMS Hive policies control access to a table's S3 directories
Prerequisites:
- Create a "Customer" Hive table under the default database.
- Create a "unixuser1" user.
- User "unixuser1" does not have any policy to allow it access to table "Customer".
- User "unixuser1" tries to access the storage location through the hdfs command.
Before setting up RMS:
If S3 policies configured through Ranger Admin allow access to the location for Customer table, access will be granted to "unixuser1". The audit log will have "ramger-acl" as the access enforcer.
After setting up RMS:
Access will not be granted to user "unixuser1". The audit log will not specify denying policy.
Use Case 2: RMS Hive policies propagate tag-based access control on tables to S3 directories
Prerequisites:
- Create a "Customer" Hive table under the default database.
- Create a "unixuser1" user.
- The tag "SPECIAL_ACCESS" is associated with the "Customer" table.
- A policy for the tag "SPECIAL_ACCESS" provides Hive
select
access to "unixuser1". - User "unixuser1" tries to read the Hive data through the S3 command.
Before setting up RMS:
If S3 policies configureed through Ranger Admin allow access to the location of "Customer" table, access will be granted to ‘"unixuser1". Otherwise, access is denied.
After setting up RMS:
Access will be granted by tag-based policy for "SPECIAL_ACCESS".
Use Case 3: RMS Hive policies propagate tag-based masking on tables and denies access to S3 directories
Prerequisites:
- Create a "Customer" Hive table under the default database.
- Create a "unixuser1" user.
- The tag "SPECIAL_ACCESS" is associated with the "Customer" table.
- A policy for the tag "SPECIAL_ACCESS" provides Hive
select
access to "unixuser1". - A masking policy for the "Customer" table is set up so that for "unixuser1" a column "SSN" is redacted.
- User "unixuser1" tries to read the Hive data through the hdfs command.
Before setting up RMS:
If S3 policies configured through Ranger Admin allow access to the location of Customer table, access will be granted to "unixuser1". Otherwise, access is denied.
After setting up RMS:
Access will be denied by the masking policy.
Use Case 4: RMS Hive policies take precedence over S3 policies
Prerequisites:
- Create a "Customer" Hive table under the default database.
- Create a "unixuser1" user.
- User "unixuser1" has a S3 policy allowing
read
access. - User "unixuser1" has a Hive policy to allow it access to the "Customer" table.
- User "unixuser1" tries to access the Hive data through the hdfs command.
Before setting up RMS:
Access will be granted by the Ranger S3 policy.
After setting up RMS:
Access will be granted to the "unixuser1" user through the Hive policy. The audit log should display the same.