Cloudera Docs

Enabling RAZ manually

You might want to manually enable Ranger Authorization (RAZ) if you have a Cloudera Data Warehouse that predates the capability to enable RAZ for AWS S3. In this case, if you need Ranger authorization in Data Explorer, perform this task.

For an introduction to enabling RAZ, see the Cloudera Management Console documentation.

When you activate your environment in 1-6.3-b319 (released April 5, 2023) or later, you configure S3 access using the Fine-grained access control on S3 dialog in the Cloudera Management Console UI. If your Data Lake is RAZ-enabled (Enable Ranger authorization for AWS S3), Cloudera Data Warehouse is RAZ-enabled by default, and cannot be turned off. Cloudera Data Warehouse will be RAZ-enabled to provide authorization mainly in Data Explorer. There is nothing more you need to do.

If you activated your Cloudera Data Warehouse environment in 1-6.2-b197 (released Feb 14, 2023) or earlier, your Cloudera Data Warehouse is not RAZ-enabled (Enable Ranger authorization for AWS S3 is not enabled). You can manually enable RAZ for Cloudera Data Warehouse only if the Data Lake is RAZ-enabled. You follow the steps below to manually enable RAZ for AWS S3 mainly for authorization of Data Explorer users.
Your Data Lake must be RAZ-enabled before you can perform these steps.
  1. Obtain a list of the permissions policies related to the AWS IAM role for Ranger authorizer you created on AWS.
    In some cases, this role is interchangeable with the DATA_LAKE_ADMIN role for AWS S3. For information about this role and policies, see "Required IAM resources".
    Minimal permissions policies are:
    • aws-cdp-datalake-admin-s3-policy
    • aws-cdp-bucket-access-policy
    • aws-datalake-backup-policy
    • aws-datalake-restore-policy
  2. Get the cluster ID from the Environments tile in the Cloudera Data Warehouse service UI.
  3. Navigate to AWS Management Console > CloudFormation and locate the stack corresponding to the cluster ID.
  4. Click the CloudFormation stack name. This stack name is the one in this format: <cluster-ID>-dwx-stack. For example, if the cluster ID is env-6cwwgg, the CloudFormation stack name for this cluster is env-6cwwgg-dwx-stack.
    In CloudFormation stack details, in Resources, the NodeInstanceRole appears in the Logical ID column.
  5. Click the NodeInstanceRole link.
    The Node instance Role page appears.
  6. Click Add Permissions > Attach Policies, and on the next page, in Permissions Policies, select the policies from step 1.