Enabling RAZ manually

You might want to manually enable Ranger Authorization (RAZ) if you have a Cloudera Data Warehouse (CDW that predates the capability to enable RAZ for AWS S3. In this case, if you need Ranger authorization in Hue, perform this task.

For an introduction to enabling RAZ, see the Management Console documentation.

When you activate your environment in 1-6.3-b319 (released April 5, 2023) or later, you configure S3 access using the Fine-grained access control on S3 dialog in the Management Console UI. If your Data Lake is RAZ-enabled (Enable Ranger authorization for AWS S3), CDW is RAZ-enabled by default, and cannot be turned off. CDW will be RAZ-enabled to provide authorization mainly in Hue. There is nothing more you need to do.

If you activated your CDW environment in 1-6.2-b197 (released Feb 14, 2023) or earlier, your CDW is not RAZ-enabled (Enable Ranger authorization for AWS S3 is not enabled). You can manually enable RAZ for CDW only if the Data Lake is RAZ-enabled. You follow the steps below to manually enable RAZ for AWS S3 mainly for authorization of Hue users.
Your Data Lake must be RAZ-enabled before you can perform these steps.
  1. Obtain a list of the permissions policies related to the AWS IAM role for Ranger authorizer you created on AWS.
    In some cases, this role is interchangeable with the DATA_LAKE_ADMIN role for AWS S3. For information about this role and policies, see "Required IAM resources".
    Minimal permissions policies are:
    • aws-cdp-datalake-admin-s3-policy
    • aws-cdp-bucket-access-policy
    • aws-datalake-backup-policy
    • aws-datalake-restore-policy
  2. Get the cluster ID from the Environments tile in the CDW service UI.
  3. Navigate to AWS Management Console > CloudFormation and locate the stack corresponding to the cluster ID.
  4. Click the CloudFormation stack name. This stack name is the one in this format: <cluster-ID>-dwx-stack. For example, if the cluster ID is env-6cwwgg, the CloudFormation stack name for this cluster is env-6cwwgg-dwx-stack.
    In CloudFormation stack details, in Resources, the NodeInstanceRole appears in the Logical ID column.
  5. Click the NodeInstanceRole link.
    The Node instance Role page appears.
  6. Click Add Permissions > Attach Policies, and on the next page, in Permissions Policies, select the policies from step 1.