Add Ranger policies for components on the CDP Cluster

Enable the default ranger policies on the CDP Private Cloud Base cluster.

The default Ranger policies created on the CDP cluster under cm_<servicename> are effective after the policies are moved under <clustername>_<servicename>. For example, in the case of knox, the default ranger policy for Knox in CDP is CDP Proxy UI and API that is created under the service name cm_knox which can be moved under cl1_knox. The <clustername> is the name registered under ambari.
To migrate policies from cm_<servicename> to <clustername>_<servicename>, perform the following
  1. Log in to Cloudera Manager UI
  2. Navigate to Clusters
  3. Select the Ranger service
  4. Click Web UI. This redirects to the Ranger service page.
  5. On the Ranger Admin UI, click Service Manager
  6. Add the policies available in the table
    Table 1.
    Service Type Policy Name Existing Groups Existing Users Existing Permissions Add new default users to the existing policies Add new default groups Add new Permissions
    Kafka
    * all-topic kafka cruisecontrol, streamsmsgmgr, streamsrepmgr N.A
    rangerlookup N.A
    * all - cluster kafka cruisecontrol, streamsmsgmgr, streamsrepmgr N.A
    rangerlookup N.A
    * all - transactionalid kafka cruisecontrol, streamsmsgmgr, streamsrepmgr N.A
    rangerlookup N.A
    * all - delegationtoken kafka cruisecontrol, streamsmsgmgr, streamsrepmgr N.A
    rangerlookup N.A
    * ATLAS_HOOK hive, hbase, storm, spark_atlas impala, mlgov, nifi N.A
    atlas consume create configure consume publish
    * ATLAS_ENTITIES atlas publish create configure publish
    rangertagsync
    Atlas
    * all - entity-type, entity-classification, entity atlas, rangerlookup, admin beacon, dpprofiler,admin, nifi, admin (remove atlas user from policy)
    rangertagsync public
    atlas (remove atlas user from policy)
    rangerlookup entity-read
    * all - relationship-type, end-one-entity-type, end-one-entity-classification, end-one-entity, end-two-entity-type, end-two-entity-classification, end-two-entity public atlas rangerlookup admin beacon, dpprofiler, admin, nifi, admin (remove atlas user from policy)
    atlas (remove atlas user from policy)
    * all - atlas-service atlas, rangerlookup, admin beacon, dpprofiler, admin, nifi, admin (remove atlas user from policy) admin-purge, admin-audits
    atlas (remove atlas user from policy)
    * all - type-category, type atlas, rangerlookup, admin beacon, dpprofiler, admin, nifi, admin (remove atlas user from policy)
    atlas (remove atlas user from policy)
    public
    * all - entity-type, entity-classification, entity, entity-label atlas beacon, dpprofiler, admin, nifi, admin (remove atlas user from policy)
    public rangertagsync
    rangerlookup entity-read
    * all - entity-type, entity-classification, entity, entity-business-metadata atlas beacon, dpprofiler, admin, nifi, admin (remove atlas user from policy)
    public rangertagsync
    rangerlookup entity-read
    * Allow users to manage favorite searches {USER} entity-read, entity-create, entity-update, entity-delete
    Entity Type = __AtlasUserProfile __AtlasUserSavedSearch
    Entity Classification = *
    Entity ID = {USER} {USER}:*
    Hive

    *

    all - hiveservice hive, rangerlookup

    hive, beacon, dpprofiler, hue, admin, impala

    (remove rangerlookup user from policy item)

    rangerlookup read

    *

    all - global hive, rangerlookup

    hive, beacon, dpprofiler, hue, admin, impala

    (remove rangerlookup user from policy item)

    rangerlookup read

    *

    all - url hive, rangerlookup

    hive, beacon, dpprofiler, hue, admin, impala

    (remove rangerlookup user from policy item)

    rangerlookup read
    * all - database, table, column hive, rangerlookup

    hive, beacon, dpprofiler, hue, admin, impala

    (remove rangerlookup user from policy item)

    rangerlookup read
    {OWNER} all
    * all - database, table, column hive, rangerlookup

    hive, beacon, dpprofiler, hue, admin, impala

    (remove rangerlookup user from policy item)

    rangerlookup read
    {OWNER} all
    * default database tables columns public create
    Hive Database default
    Hive Table *
    Hive Column *
    * Information_schema database tables columns public select
    Hive Database information_schema
    Hive Table *
    Hive Column *
    HDFS
    * all - path hadoop, rangerlookup Remove rangerlookup from policy item
    rangerlookup read

    Knox

    Policy Name

    Knox topolgoy

    Knox service

    Allow conditions - Group

    Allow conditions - Permission

    CDP Proxy UI and API

    cdp-proxy, cdp-proxy-api

    *

    public

    Allow