Understanding Ranger policies with RMS
Ranger RMS for S3 access evaluation workflow
At a high level, the Ranger RMS for S3 access evaluation workflow is as follows:
- Ranger policies for the S3 service are evaluated. If any policy explicitly denies access, access is denied.
- Ranger checks to see if the accessed location maps to a Hive table.
- If it does, Hive policies are evaluated for the mapped Hive table. Otherwise, if there is an
S3 policy allowing access, then the access is allowed.
- Requested S3 permission is mapped to Hive permissions as follows:
- S3 ‘read’ ==> Hive ‘select’
- If there is no Hive policy that explicitly allows access to the mapped table, access is denied, otherwise access is allowed.
Appropriate tag policies are considered both during S3 access evaluation and if needed, during Hive access evaluation phases. Also, one or more log records are generated to indicate which policy, if any, made the access decision.
The following scenarios illustrate how the access permissions are determined. All scenarios assume that the S3 location is NOT explicitly denied access by a Ranger S3 policy.
- Location does not correspond to a Hive table.
- In this case, access will be granted only if a Ranger S3 policy allows access. The audit log will show which policy made the decision.
- Location corresponds to a Hive table.
- A Ranger Hive policy explicitly denied access to the mapped table for any of the accesses derived from the original S3 request.