Azure Fine-grained Access ControlPDF version

Introduction to RAZ on Azure environments

Shared Data Experience (SDX) in Cloudera on cloud provides Ranger Authorization Server (RAZ) service for fine grained access control and auditing of various services and workloads running in Enterprise Data Cloud. To use RAZ server capabilities, you must first enable RAZ in an Azure environment in Cloudera .

Cloudera defaults to using cloud storage which might be challenging while managing data access across teams and individual users. The Ranger Authorization Service (RAZ) resolves this challenge by enabling ADLS Gen2 users to use fine-grained access policies and audit capabilities available in Apache Ranger similar to those used with HDFS files in an on-premises or IaaS deployment.

Prior to the introduction of RAZ, controlling access to ADLS Gen2 could be enforced at coarse-grained group level (using IDBroker mappings). This required rearchitecting the implementation of important file-centric activities as well as admin-level access to both the Azure subscription and Cloudera account.

In HDP and CDH deployments, files and directories are protected with a combination of HDFS Access Control Lists (ACLs) (in CDH, HDP) and Ranger HDFS policies (in HDP). Similarly, in a Cloudera on Azure environment with RAZ for ADLS Gen2 enabled, Ranger's rich access control policies can be applied to Cloudera's access to ADLS Gen2 containers, directories, and files and can be controlled with admin-level access to Cloudera alone.

Many of the use cases that RAZ for Azure enables are cases where access control on files or directories is needed. Some examples include:
  • Per-user home directories.
  • Data engineering (Spark) efforts that require access to cloud storage objects and directories.
  • Data warehouse queries (Hive/Impala) that use external tables.
  • Access to Ranger's rich access control policies such as date-based access revocation, user/group/role-based controls, along with corresponding audit.
  • Tag-based access control using the classification propagation feature that originates from directories.
The core RAZ for Azure for Data Lakes and several Cloudera Data Hub templates are available for production use. The following Cloudera Data Hub cluster types are supported:
  • Cloudera Data Engineering
  • Cloudera Data Engineering HA
  • Cloudera Data Engineering Spark3
  • Cloudera Operational Database with SQL
Specifically, Hive, Spark, HBase, and Oozie are supported.
RAZ is fully integrated with the following Cloudera data services:
  • Cloudera DataFlow
  • Cloudera Data Engineering
  • Cloudera Machine Learning
  • Cloudera Operational Database

You can backup and restore the metadata maintained in the Data Lake services of RAZ-enabled environments. For more information, see Data Lake Backup and Restore.

The following limitations and known issues have been identified and are under development:
  • Currently, there is no automated way to enable RAZ in an existing Cloudera environment that does not have RAZ enabled.
  • RAZ integration is under technical preview for the following Cloudera services:
    • Cloudera Data Warehouse
    • Integration with Cloudera Data Hub Hue's File Browser
  • Solr, Kudu, and NiFi are not supported by RAZ.

We want your opinion

How can we improve this page?

What kind of feedback do you have?