AWS Fine-grained Access Control

Creating Ranger policy to use in RAZ-enabled AWS environment

After you register the RAZ-enabled AWS environment, you can log in to Ranger to create the policies for granular access to the environment’s cloud storage location. To create the Ranger policy, you must first create the required S3 policy and then a Hive URL authorization policy, on an S3 path for the end user.

To create the required S3 policy on an S3 path for end user, perform the following steps:
1. Navigate to the Ranger UI.
2. On the S3 tab, click cm_s3.
3. Click Add New Policy in the top right corner.
4. Provide the following policy details:
  1. Enter Policy Name.
  2. Enter an S3 Bucket name.
  3. Provide a Path within the S3 bucket.
  4. Select users and permissions to assign to the end user.
    Only Read and Write permissions can be assigned to the end user.
  The following sample image shows the Create Policy page in Ranger UI to create an S3 policy on an S3 path for an end user.
5. Click Add to save the policy.
To create a Hive URL authorization policy on an S3 path for the end user, perform the following steps:
1. Navigate to the Ranger UI.
2. On the Hadoop SQL tab, click Hadoop SQL.
3. Click Add New Policy in the top right corner.
4. Provide the policy details. The following sample image shows the policy details:
  1. Enter Policy Name.
  2. Enter the Hive URL authorization path in the url field, and enable the Recursive option.
  3. Provide a Path within the S3 bucket.
    note
    You can append *, also known as a "wildcard", to the path name. For example: s3a://bucket/* . Appending * to a URL path grants (or denies) access to the child directories in that path.
  4. Select users and permissions to assign to the end user.
    note
    Only Read permission can be assigned to the end user.
  The following sample image shows the Policy Details page in Ranger UI to create a Hive URL authorization policy on an S3 path for an end user.
5. Click Add to save the policy.