Cloudera Docs

Creating and assiging Ranger policies

Apart from assigning resource roles to users, you need to set up Ranger policies to authorize users (service, machine, or workload users) to perform specific operations and rights to certain resources. Learn which Ranger policies you need for the Business Intelligence at Scale pattern and how to create them.

The following table lists the CDP components for which you need to set up resource-based Ranger policies:
CDP component Resource-based Ranger policy Purpose
Kafka (Streams Messaging) Kafka Allow the machine user to publish, configure, and consume Kafka topics.
Kafka Allow the machine user to consume the Consumer Group IDs.
Schema Registry (Streams Messaging) Schema-Registry Allow the machine user to read schema groups from the Schema Registry.
Hue (Cloudera Data Warehouse) Hadoop SQL Allow the workload user to perform all database, table, and column operations such as select, update, alter, create, drop, insert, read, and write.
  1. Log in to the CDP web interface.
  2. Go to Management Console > Environmentsand click on Ranger.
    The Ranger Service Manager page is displayed.
  3. Create a Kafka policy to allow the machine user to publish, configure, and consume Kafka topics.
    1. Click on your main deployment (SMM) policy under KAFKA.
    2. Click Add New Policy on the List of Policies page.
    3. Specify a name for your policy in the Policy Name field.
      For this pattern, you can specify bias-smm-kafka-ingest.
    4. Select topic from the drop-down menu.
    5. Enter the names of the Kafka topics to which you want to authorize user access.
      For this pattern, specify weather, weather_forecast or weather*.
    6. Go to the Allow Conditions section and enter the machine username under the Select User column.
    7. Click under the Permissions column and select Publish, Consume, and Configure options and click .
    8. Click Add at the bottom of the page.
  4. Create a Kafka policy to allow the machine user to consume, describe, and delete the Consumer Group IDs.
    1. Click on your main deployment (SMM) policy under KAFKA.
    2. Click Add New Policy on the List of Policies page.
    3. Specify a name for your policy in the Policy Name field.
      For this pattern, you can specify bias-smm-kafka-consumer.
    4. Select consumergroup from the drop-down menu.
    5. Enter the names of the Kafka Consumer Group ID to which you want to authorize user access.
      For this pattern, specify WeatherConsumer, ForecastConsumer.
    6. Go to the Allow Conditions section and enter the machine username under the Select User column.
    7. Click under the Permissions column and select the Consume option and click .
    8. Click Add at the bottom of the page.
  5. Create a Schema-Registry policy to allow the machine user to read the schema groups from the Schema Registry.
    1. Click on your main deployment (SMM) policy under SCHEMA-REGISTRY.
    2. Click Add New Policy on the List of Policies page.
    3. Specify a name for your policy in the Policy Name field.
      For this pattern, you can specify bias-smm-sr-schema-group.
    4. Select schema-group from the drop-down menu and enter weather next to it.
    5. Enter the names of the Schema Registry schemas to which you want to authorize user access in the Schema Name field.
      For this pattern, specify WeatherCurrent, WeatherForecast.
    6. Select schema-branch from the drop-down menu and enter *.
    7. Select schema-version from the drop-down menu and enter *.
    8. Go to the Allow Conditions section and enter the machine username under the Select User column.
    9. Click under the Permissions column and select the Read option and click .
    10. Click Add at the bottom of the page.
  6. Create a Hadoop SQL policy to allow the workload users to perform operations on databases, tables, and columns.
    1. Click Hadoop SQL under HADOOP SQL.
    2. Click Add New Policy on the List of Policies page.
    3. Specify a name for your policy in the Policy Name field.
      For this pattern, you can specify bias-all-database-table-column.
    4. Select database from the drop-down menu and enter *.
    5. Select table from the drop-down menu and enter *.
    6. Select column from the drop-down menu and enter *.
    7. Go to the Allow Conditions section and enter the workload username under the Select User column.
    8. Click under the Permissions column and select the select, update, Create, Drop, Alter, Read, and Write option and click .
    9. Click Add at the bottom of the page.