Configure a resource-based storage handler policy: HadoopSQL
How to configure a policy that allows authorized users to create data tables using storage-handlers.
Ranger includes “storage-type” and “storage-url” resources in HadoopSQL Service that support only the permission “RW Storage ” permission. Ranger authorizes a user that creates or alters a table against this resource policy. A user having the required “RW Storage” permission on the resource representing the storage-type and storage-url, is allowed to create/alter the table in the respective storage.
On the Service Manager page, select HadoopSQL service.
The List of Policies HadoopSQL page appears.
To create a new policy, click Add New Policy.
On Create Policy click
storage-type as shown in the following
- Complete the required* fields.
- In Allow Conditions, select users, then add the RW Storage permission, as shown in the preceeding example.
- Scroll to the bottom of Create Policy, then click Add.
- On Create Policy click storage-type as shown in the following example:
To configure an existing policy named all - storage-type, storage-url, click
The Edit Policy page appears.
Complete the Edit Policy page as follows:
Table 1. Policy Details Field Description Policy Name Enter an appropriate policy name. This name cannot be duplicated across the system. This field is mandatory. The policy is enabled by default. normal/override Enables you to specify an override policy. When override is selected, the access permissions in the policy override the access permissions in existing policies. This feature can be used with Add Validity Period to create temporary access policies that override existing policies. Policy Label Specify a label for this policy. You can search reports and filter policies based on these labels. storage-type
Type in the applicable storage type.
* allows athorizes users to create any table in the spcified storage type..
Type in the applicable storage URL.
* allows athorizes users to create any table in the spcified storage URL. Select Exclude to deny access.
(Optional) Describe the purpose of the policy.
Audit Logging Specify whether this policy is audited. (De-select to disable auditing). Add Validity Period Specify a start and end time for the policy. Table 2. Allow Conditions
Specify the users to which this policy applies.
To designate a user as an Administrator, select the Delegate Admin check box. Administrators can edit or delete the policy, and can also create child policies based on the original policy.
Add or edit permissions: RW Storage, You can assign read and select permissions to rangerlookup user.
Delegate Admin You can use Delegate Admin to assign administrator privileges to the roles, groups, or users specified in the policy. Administrators can edit or delete the policy, and can also create child policies based on the original policy.
- HBase StorageHandler policy:
- Storage Type: hbase
- Storage URL: hbase-cluster:port/hbase-table
- Phoenix StorageHandler policy:
- Storage Type: phoenix
- Storage URL: phoenix-cluster:port/table-name
- Kafka StorageHandler policy:
- Storage Type: kafka
- Storage URL: bootstrap-server:port/kafka-topic
- JDBC StorageHandler policy:
- Storage Type: jdbc:mysql
- Storage URL: mysql-host:port/DBname/Table , or
- Sorage URL: mysql-host:port/DBname/*