Providing fine-grained access to namespaces using Ranger

Provide administrator, operator, or monitor role access for a user or a group at namespace level. Enable the Ranger service for Cloudera Lakehouse Optimizer, and then create the Ranger policies to provide the fine-grained access to a user or group.

Namespace-level permissions supersede universal permissions. You can assign the namespace administrator permissions to one or more groups, and then assign the required Ranger policies to those groups. For example, if clo_user1 group is assigned the all-database Ranger policy, the users within that group have access to all the Cloudera Lakehouse Optimizer policies unless a specific user receives an explicit deny permission.

Verify whether the Ranger service is enabled for Lakehouse Optimizer.
1. Go to the Cloudera Manager > Clusters > [***CLOUDERA LAKEHOUSE OPTIMIZER***] > Configuration tab.
Search for Ranger.
The Ranger field must be selected as shown in the following image:

The CLO SERVICE (cm_clo) resource is displayed in Ranger as shown in the following image:

tip

The default all-database Ranger policy contains the dlm_admin group and the users in this group are superusers. The following sample image shows dlm_admin and clo_admin groups along with hive, admin, and rangerlookup users as superusers:

You can create Ranger policies to provide fine-grained access to groups and users based on your requirements.
Create the required Ranger policy in Ranger.
1. Go to Cloudera Manager > Clusters > Ranger > Ranger Admin Web UI.
  The Ranger UI is displayed in a new tab.
2. Go to cm_clo > Add New Policy.
3. Enter the following details in the Create Policy wizard:
  1. Enter a unique Policy Name.
  2. Optionally, enter a Description.
  3. Select one or more names from the CLO Namespace Name list.
  4. In the Allow Conditions section, select the Group, User, or both, and then select the Permissions.
    important
    Cloudera highly recommends selecting Admin, Operator, or Monitor permissions in the Add/Edit Permissions list. This is because an incorrect or incompatible combination of permissions might result in unpredictable behaviors.
  5. Deny permissions to a specific group or user in the Deny Conditions section as described in the Allow Conditions instruction step.
  6. Click Save.
  caution
  
  If the Ranger field in the Cloudera Manager > Clusters > [***CLOUDERA LAKEHOUSE OPTIMIZER***] > Configuration tab is not selected, Cloudera Lakehouse Optimizer does not implement fine-grained permissions when running the Cloudera Lakehouse Optimizer policies.

Cloudera Lakehouse Optimizer checks the permissions before it runs a Cloudera Lakehouse Optimizer policy.