Data Explorer offers you the capability to browse S3
buckets, upload files to S3, and create tables by importing files from S3. With Ranger
Authorization (RAZ), you can grant fine-grained access to per-user home
directories.
If you have enabled RAZ while registering your AWS
environment with Cloudera, then Data Explorer uses RAZ as the default mechanism for
enabling the S3 File Browser. Before you can enable the S3 File Browser in Data Explorer, you must complete the following
prerequisites:
-
Follow the instructions listed in Introduction to RAZ on AWS
environments to register an AWS environment with the
Enable Ranger authorization for AWS S3 option
enabled. You can use the Cloudera web interface or the Cloudera CLI to complete this task.
-
Log in to the Cloudera Management Console as a
DWAdmin or DWUser and go to the Cloudera Data Warehouse service.
-
Click on your Database Catalog.
-
Create the following Ranger policies:
-
Hadoop SQL policy (
all - database,
table, column, all - url).
You must grant permissions to individual users or groups in these
Ranger policies. To grant permissions to all users, you can specify
{USER} in the
Permission section.
-
S3 (cm_S3) policy (
Default: User
Home)
You must grant permissions to the following users in the
Permissions section for the user home
directory (/user/{USER}):
{USER}.
Specify the bucket name in the S3 Bucket field
and the directory path in the Path field of the
cm_S3 Ranger policy.
-
S3 (cm_S3) policy (
Default:
user)
You must grant permissions to the following users in the
Permissions section for the root directory
(/user/): hive,
impala.
-
You must also grant appropriate permissions to the users in Cloudera User Management
Service (UMS). For example, EnvironmentUser.
> Open Ranger on your Database Catalog.
