Configure a resource-based storage handler policy: HadoopSQL

How to configure a policy that allows authorized users to create data tables using storage-handlers.

Ranger includes “storage-type” and “storage-url” resources in HadoopSQL Service that support only the permission “RW Storage ” permission. Ranger authorizes a user that creates or alters a table against this resource policy. A user having the required “RW Storage” permission on the resource representing the storage-type and storage-url, is allowed to create/alter the table in the respective storage.

  1. On the Service Manager page, select HadoopSQL service.
    The List of Policies HadoopSQL page appears.
  2. To create a new policy, click Add New Policy.
    1. On Create Policy click storage-type as shown in the following example:
    2. Complete the required* fields.
    3. In Allow Conditions, select users, then add the RW Storage permission, as shown in the preceeding example.
    4. Scroll to the bottom of Create Policy, then click Add.
  3. To configure an existing policy named all - storage-type, storage-url, click Edit.

    The Edit Policy page appears.


    Ranger > Edit HadoopSQL Policy page.
  4. Complete the Edit Policy page as follows:
    Table 1. Policy Details
    Field Description
    Policy Name Enter an appropriate policy name. This name cannot be duplicated across the system. This field is mandatory. The policy is enabled by default.
    normal/override Enables you to specify an override policy. When override is selected, the access permissions in the policy override the access permissions in existing policies. This feature can be used with Add Validity Period to create temporary access policies that override existing policies.
    Policy Label Specify a label for this policy. You can search reports and filter policies based on these labels.
    storage-type

    Type in the applicable storage type.

    * allows athorizes users to create any table in the spcified storage type..

    storage url

    Type in the applicable storage url

    * allows athorizes users to create any table in the spcified storage url. Select Exclude to deny access.

    Description

    (Optional) Describe the purpose of the policy.

    Audit Logging Specify whether this policy is audited. (De-select to disable auditing).
    Add Validity Period Specify a start and end time for the policy.
    Table 2. Allow Conditions

    Label

    Description

    Select User

    Specify the users to which this policy applies.

    To designate a user as an Administrator, select the Delegate Admin check box. Administrators can edit or delete the policy, and can also create child policies based on the original policy.

    Permissions

    Add or edit permissions: RW Storage, You can assign read and select permissions to rangerlookup user.

    Delegate Admin You can use Delegate Admin to assign administrator privileges to the roles, groups, or users specified in the policy. Administrators can edit or delete the policy, and can also create child policies based on the original policy.
Example StorageHandler Policy Definitions:
Phoenix StoragerHandler policy:
Storage Type: PhoenixStorageHandler
Storage Url: phoenix-cluster:port/table-name
Kafka StoragerHandler policy:
Storage Type: kafka
Storage Url: bootstrap-server:port/kafka-topic
JDBC StorageHandler policy:
Storage Type: jdbc:mysql
Storage Url: mysql-host:port/DBname/Table , or
Sorage Url: mysql-host:port/DBname/*