Configuring Ranger policies for SSB

You must add SQL Stream Builder (SSB) service user named ssb to the Ranger policies that are used by Kafka, Schema Registry, Hive and Kudu to provide access to topics, schemas and tables provided by the components.

Before you begin

Install Apache Ranger on your cluster. For more information, see the Production Installation documentation.
Add the required Ranger policies for Flink. For more information, see Configuring Ranger policies for Flink documentation.

You can reach the Ranger User Interface through Cloudera Manager:

Go to your cluster in Cloudera Manager.
Select Ranger from the list of services.
Click on Ranger Admin Web UI.
You are redirected to the Ranger Admin Web UI.

Adding SSB user to Kafka policies

You must add the ssb user to the following policies:

all-consumergroup
all-topic

Select cm_kafka from the Service Manager home page on the Ranger Admin Web UI.
You are redirected to the list of Kafka policies page.
Click on the edit button of the all-consumergroup policy.
Add the SSB user to the Select User field under the Allow Conditions setting.
Click Save.
You are redirected to the list of Kafka policies page
Click on + More… to check if the SSB user is listed under the Users for the consumergroup policy.
Add the ssb user to the following policy with the above steps as well:
- all-topic

Adding SSB user to Schema Registry policies

You must add the ssb user to the following policy:

all-schema-group, schema-metadata, schema-branch, schema-version

Select cm_schema-registry from the Service Manager home page on the Ranger Admin Web UI.
You are redirected to the list of Schema Registry policies page.
Click on the edit button of the all-schema-group, schema-metadata, schema-branch, schema-version policy.
Add the ssb user to the Select User field under the Allow Conditions setting.
Click Save.
You are redirected to the list of Schema Registry policies page.
Click on + More… to check if the SSB user is listed under the Users for the schema-group, schema-metadata, schema-branch, schema-version policy.

Adding SSB user to Hive policies

You must add the ssb user to the following policy:

all-global
all-database, table, column
all-database, table
all-database
all-hiveservice
all-database, udf
all-url

Select cm_hadoopsql from the Service Manager home page on the Ranger Admin Web UI.
You are redirected to the list of Hadoop SQL policies page.
Click on the edit button of the all-global policy.
Add the SSB user to the Select User field under the Allow Conditions setting.
Click Save.
You are redirected to the list of Hadoop SQL policies page.
Click on + More… to check if the SSB user is listed under the Users for the all-global policy.
Add the ssb user to the following policy with the above steps as well:
- all-database, table, column
- all-database, table
- all-database
- all-hiveservice
- all-database, udf
- all-url

Adding SSB user to Kudu policies

You must create a policy to grant access to Kudu tables for the ssb user.

Select cm_kudu from the Service Manager home page on the Ranger Admin Web UI.
You are redirected to the Create Policy page.
Click on Add New Policy.
Provide a name to the Policy Name field.
Provide a prefix for the Databases you want to add to the policy or type * to select all.
Provide a prefix for the table you want to add to the policy or type * to select all.
Provide a prefix for the column you want to add to the policy or type * to select all.
Add the ssb user to the Select User field under the Allow Conditions setting.
Click on the plus icon to Add Permissions to the Permissions field.
Click on the specific permissions or Select All.
Click on Add at the bottom of the page.
You are redirected to the list of Kudu policies page where the created policy should be listed.
Click on + More… to check if the ssb user is listed under the Users for the created policy.