Introduction to RAZ on AWS environments

CDP Public Cloud defaults to using cloud storage which might be challenging while managing data access across teams and individual users. The Ranger Authorization Service (RAZ) resolves this challenge by enabling Amazon S3 users to use fine-grained access policies and audit capabilities available in Apache Ranger similar to those used with HDFS files in an on-premises or IaaS deployment.

Many of the use cases that RAZ for S3 enables are cases where access control on files or directories is needed. Some examples include:
  • Per-user home directories.
  • Data engineering (Spark) efforts that require access to cloud storage objects and directories.
  • Data warehouse queries (Hive/Impala) that use external tables.
  • Access to Ranger's rich access control policies such as date-based access revocation, user/group/role-based controls, along with corresponding audit.
  • Tag-based access control using the classification propagation feature that originates from directories.

Prior to the introduction of RAZ, controlling access to S3 could be enforced at coarse-grained group level using IDBroker mappings. This required rearchitecting the implementation of important file-centric activities as well as admin-level access to both the AWS account and the CDP account.

In HDP and CDH deployments, files and directories are protected with a combination of HDFS Access Control Lists (ACLs) (in CDH, HDP) and Ranger HDFS policies (in HDP). Similarly, in an AWS CDP Public Cloud environment with RAZ for S3 enabled, Ranger's rich access control policies can be applied to CDP's access to S3 buckets, directories, and files and can be controlled with admin-level access to CDP alone.

The core RAZ for AWS for Data Lakes and several Data Hub templates are available for production use. The following Data Hub cluster types are supported:
  • Data Lake Backup and Restore of RAZ-enabled environments
  • Data Engineering
  • Data Engineering HA
  • Data Engineering Spark3
  • Operational Database with SQL
Specifically, Hive, Spark, HBase, and Oozie are supported.

RAZ integration for Cloudera Data Flow (CDF) is supported.

Limitations to use RAZ in AWS environments

The following limitations and known issues have been identified and are under development:
  • Currently, there is no automated way to enable RAZ in an existing CDP environment that does not have RAZ enabled.
  • RAZ integration is under technical preview for:
    • Cloudera Machine Learning (CML)
    • Cloudera Data Warehouse (CDW)
    • Cloudera Data Engineering (CDE)
    • Integration with Data Hub Hue's File Browser
  • The following components are not supported by RAZ:
    • Solr, Kudu, Flink, and NiFi.

Architecture diagram

The following architecture diagram shows how RAZ integrates and interacts with other components in a RAZ-enabled AWS environment:
The image shows an architecture diagram which illustrates how RAZ is integrates and interacts with other components in a RAZ-enabled AWS environment.