Configuring Ranger policies for Flink

You must add Flink users to the Ranger policies that are used by Kafka, Schema Registry, and Kudu to provide access to topics, schemas and tables provided by the components.

Before you begin

Install Apache Ranger on your cluster. For more information, see the Production Installation documentation.

You can reach the Ranger User Interface through Cloudera Manager:
  1. Go to your cluster in Cloudera Manager.
  2. Select Ranger from the list of services.
  3. Click on Ranger Admin Web UI.

    You are redirected to the Ranger Service Manager.

You need to create a Flink user group, and add the Flink users to set the required permissions in a group level:
  1. Create a Flink user group in the Ranger Service Manager.
    1. Click Settings > Users/Groups/Roles.
    2. Select Groups tab.
    3. Clink on Add New Group.
    4. Provide a Name to the group and a Description.
    5. Click Save.
  2. Add new users to the Flink group.
    1. Click Settings > Users/Groups/Roles.
    2. Select Users tab.
    3. Clink on Add New User.
    4. Provide the basic information about the user.
    5. Select a Role to the user.
    6. Select the created Flink group.
    7. Click Save.

Adding Flink group to Kafka policies

You must add the Flink group to the following policies:
  • all-consumergroup
  • all-topic
  1. Select cm_kafka from the Service Manager home page on the Ranger Admin Web UI.

    You are redirected to the list of Kafka policies page.

  2. Click on the edit button of the all-consumergroup policy.
  3. Add the Flink group to the Select Group field under the Allow Conditions setting.
  4. Click Save.

    You are redirected to the list of Kafka policies page

  5. Click on + More… to check if the Flink group is listed under the Groups for the consumergroup policy.
  6. Add the Flink user to the following policy with the above steps as well:
    • all-topic

Adding Flink group to Schema Registry policies

You must add the Flink group to the following policy:
  • all-schema-group, schema-metadata, schema-branch, schema-version
  1. Select cm_schema-registry from the Service Manager home page on the Ranger Admin Web UI.

    You are redirected to the list of Schema Registry policies page.

  2. Click on the edit button of the all-schema-group, schema-metadata, schema-branch, schema-version policy.
  3. Add the Flink user to the Select Group field under the Allow Conditions setting.
  4. Click Save.

    You are redirected to the list of Schema Registry policies page.

  5. Click on + More… to check if the Flink group is listed under the Groups for the schema-group, schema-metadata, schema-branch, schema-version policy.

Adding Flink group to Kudu policies

You must create a policy to grant access to Kudu tables for the Flink group.

  1. Select cm_kudu from the Service Manager home page on the Ranger Admin Web UI.

    You are redirected to the Create Policy page.

  2. Click on Add New Policy.
  3. Provide a name to the Policy Name field.
  4. Provide a prefix for the Databases you want to add to the policy or type * to select all.
  5. Provide a prefix for the table you want to add to the policy or type * to select all.
  6. Provide a prefix for the column you want to add to the policy or type * to select all.
  7. Add the Flink user to the Select User field under the Allow Conditions setting.
  8. Click on the plus icon to Add Permissions to the Permissions field.
  9. Click on the specific permissions or Select All.
  10. Click on Add at the bottom of the page.

    You are redirected to the list of Kudu policies page where the created policy should be listed.

  11. Click on + More… to check if the Flink group is listed under the Groups for the created policy.