Configuring Atlas Authorization using Ranger

Use the Ranger Admin UI to add or update policies to control Atlas access.

You can use Ranger policies to control user-access to Atlas metadata and to actions that users can perform in Atlas. The following policies are defined by default:

  • admin: the initial Atlas administrator user has full access to all Atlas actions, including full access to entity metadata, classifications, business metadata attributes, labels and relationship creation, the ability to create new entity, enumeration, structure, and relationship types, the ability to import, export, and purge metadata from Atlas, and the ability to save searches.
  • dpprofiler: the Data Plane service user has the same extensive privileges as the admin user. These privileges allow integration between the Data Catalog (Data Steward Studio) and Atlas.
  • beacon: the Replication Manager service user has the same extensive privileges as the admin user. These privileges allow Atlas to participate in cluster-level disaster recovery operations.
  • rangertagsync: the TagSync service user has read access to entity metadata, specifically to entity classifications, business metadata, and labels to be used in Ranger tag-based policies.
  • rangerlookup: the Ranger lookup service user has read access to entity metadata, specifically to entity classifications, business metadata, and labels to be used in enforcing Ranger policies.
  • public: all users are granted access to read Atlas entity metadata, classifications, labels, and relationships (such as lineage).
  • {USER}: any user who successfully logs in to Atlas can save searches so they are available in subsequent Atlas sessions.

To change Ranger policies for Atlas, your user needs privileges in Ranger to change Resource Based Policies.

  1. Open the Ranger service that is running in the same cluster as Atlas.
    One way to do this is to open the Ranger Admin Web UI from Cloudera Manager.

  2. Open Access Manager > Resource Based Policies and select Atlas policies (cm_atlas).


  3. On the List of Policies page, click Add New Policy.
  4. Use the Create Policy page to specify the Atlas authorization policy.

    Ranger fields support ? and * wildcards for single and multiple character replacement. To apply the policy to all types of a given entry, use *.

    These selections can be set to "include" the selected resources or "exclude" the selected resources. An include policy applies only to the named types. An exclude policy for the same type would apply to all metadata types other than named types.

    Ranger Authorization with classifications

    Currently in Atlas, we have the following authorization options for using classification:

    • Authorization on types: Where user can create a new classification def (not the association)

      For example: Only admin_user is allowed to create tags - PII, PHI..etc.
    • Authorization on Entity: For entities with typeName hive_table with qualifiedName (abc@cl1) and having classification (already associated) can add, update, and remove classifications.

      For example, if any Hive table with qualifiedName 'emp@cl1 and having the tag PII, the admin_user can add the SENSITIVE tag.

    Authorization Enhancement

    The enhancement is provided to authorize as to who can add, remove, and update classification for an entity. Even if the entities on which classification have to be applied, that do not have classifications already tagged to it, provided the entity-type, Entity-ID and classification on it matches the specified policy.

    For example, any users belonging to the user group - finance_group can add classification - FINANCE_PII to any entities (these entities may or may not have any classifications associated) if the policy has provided access to the user or user-group.

    To achieve this, a new field named classification is introduced in the Ranger UI in which tags to be added can be specified.

    Entity Classification denotes the classifications already associated with the entity.

    For example:

    Entity Classification - Finance_*

    Classification: Finance_PII

    Access: Group: finance_group, Permission: Add/Update/Delete Classifications.

    Any user in finance_group can now add Finance_PII classification to entities tagged with Finance_*.

    If users try to add Sales_PII tag to the entity, Ranger denies it and does not approve the authorization.

    Policy Type Access. There are no other policy types available for an Atlas service.
    Policy Name 255 character name that appears in the list of policies. Roles, users, and groups also show up in the list, so it helps if your name includes the operations or metadata that the policy controls.
    Policy Label Metadata you can include in the policy definition to help organize the policies for a given service. The same label can be added to any number of policies for the service. There is no limit to the number of characters in a label, but only 28 characters display in the policy list.
    type-category menu The metadata or operation type ("resources" in Ranger terms) that the policy applies to, including:
    • type-category
    • entity-type
    • atlas-service
    • relationship-type
    type-category option Choose this option to authorize actions generally against Atlas resource types, including business metadata, classifications, enumerations, entities, relationships, structures.

    With type-category selected, options include:

    Type Name Refine the authorization to specific types within the named type category. For example, to give users authorization to create Atlas Business Metadata, choose type-category and the category Business Metadata; then set the Type Name to *. For example, to authorize users to add values to an existing enum, such as AtlasGlossaryTermRelationshipStatus, add this enum to the Type Name and include the permission for "Update Type" in the Allow Condition. To allow users to update any types within the type category, use *.

    To determine the supported values, use the Atlas UI or API to show the defined types.

    entity-type option Authorizes actions against specific entity types, individual entities, entities identified by associated classifications, or entities identified by associated metadata.

    For example, to authorize users to add classifications or metadata to any Hive table entities, set the entity-type to hive_table and set additional options to *.

    With entity-type selected, options include:
    Entity Classification Refines the list of entities in entity-type to those associated with a specified classification. For example, to restrict authorization to Hive tables that were marked with some classification that indicates their readiness for use, set entity-type to hive_table and include the identifying classification name (e.g., Available) in Entity Classification.
    Entity ID Refines the list of entities in entity-type to those associated with a specified ID. When the detail page for an entity is open in the Atlas UI, the last element of the browser URL indicates the entity ID.
    classification

    Provides the option to authorize as to who can add, remove, and update classification for an entity, even if the entities on which classification have to be applied, which do not have classifications already tagged to it, provided the entity-type, Entity-ID and classification on it matches the specified policy.

    Metadata types selection Refines the list of entities in entity-type to those associated with specific user-defined metadata, including:
    • entity-label
    • entity-business-metadata
    • classification
    • none

    Set label names in the type entity-label to limit the authorization policy to entities marked with any of those labels. Use * to indicate any label.

    Set business metadata collection names in the type entity-business-metadata to limit the authorization policy to entities marked with metadata attributes from that business metadata collection. Use * to indicate any business metadata collections.

    atlas-service option Authorizes the import and export Atlas entities and purge deleted entities through the API. This privilege overrides specific privileges for entity-types. Typically the users with this privilege are service users creating entities in Atlas.
    relationship-type option Authorizes the creation and update of Atlas relationships. You can identify specific relationship types or use * to indicate any relationship type. Typically the users with this privilege are service users creating entities in Atlas.
    End1 Entity Type

    End1 Entity Classification

    End1 Entity ID

    End2 Entity Type

    End2 Entity Classification

    End2 Entity ID

    Refines the relationship authorization to specific attributes of relationships. "End1" and "End2" indicate the entities on each side of the relationship. For example, you could use the End1 and End2 Entity Type options to allow modification of relationships when one side of the relationship are Hive tables and the other side Hive columns.
    Description Information that you add to help you remember the value of this policy. The description can be up to 1000 characters.
    Audit Logging Enables Ranger's audit logging for this policy. There are other options in Ranger's configuration that can conflict with this option, but generally if you turn off this setting, Ranger enforces the policy but does not audit success or failed actions against the policy.
    Allow Conditions Choose the roles, users, and/or groups and the permissions they can access for the resources defined in the policy. If you need to include parts of overlapping groups, add an exclude condition in addition to the allow condition.
    Deny Conditions Choose the roles, users, and/or groups and the permissions they cannot access for the resources defined in the policy.
  5. Click Add.
You should be able to validate the policy almost immediately after saving a valid policy.