Cloudera Docs

Security Zones Example Use Cases

Four example use cases for admininistering security zones.

Based on the following example:

Zone: finance
          service: prod_hdfs; path=/finance/*, /taxes/*
          service: prod_hive; database=finance
          service: prod_kafka; topic=FIN_*
          service: test_hadoop; path=/finance/*, /taxes/*
Zone: sales
          service: prod_hadoop; path=/sales/*
          service: prod_hive; database=sales
          service: prod_kafka; topic=SALES_*

Use case 1 : Access HDFS path using zone policy

For example, let us access hdfs path using unixuser1 user from finance zone.

Finance zone resource:
Ranger Service : prod_hdfs
Resource : /finance/*
Finance zone policy:
Resource Path : /finance/*
User : unixuser1
Permission : read, write, execute

Now, when unixuser1 user tries to create dir in /finance dir, Ranger checks for zone with resource /finance and policy for that user in that zone and then allows access for that user. Also, access-audit logs for that operation appear in the Ranger Admin Web UI, Access Audit tab.

Use case 2 : Hive access policy and tag masking policy

For example, we want to manage access policies and masking policy for taxation-related information in multiple finance databases for an organization.

Zone Resource :
Zone Tag service: cm_tag
Ranger Service : prod_hive
Resource :
Database : finance
Zone policy resource
Tag policy
resource:TDS
Hive policy
Resource :
Database : finance

Now, the Admin and security zone admin can create access policies and masking policies for all the resources associated with tag TDS and as and when new tables on Hive / Hbase are created for saving any taxation related data. They can associate a TDS tag with a related Hive / Hbase column. This will enable zone admin to create policies for masking the confidential data of its organization.

Use case 3 : Knox topologies

For example, suppose we want to manage access to a service. We can mange access to a service using topology.

Zone Resource :
Ranger Service : prod_knox
Resource:
Knox Topology:cdp-proxy-api
Knox Service:WEBHDFS
Zone deny policy Resource:
Knox Topology:cdp-proxy-api
Knox Service:WEBHDFS

Without a security zone, access to webhdfs is allowed since the default policy has a 'public' group in it.

Use case 4 : Import and export of zone policy

We can import and export zone policies from stage to prod.

Suppose we want to have the same policy in production that exists on stage. We can export the zone policy from the stage where the exported json has a zone name as a parameter in the json. While importing, we can map the zone name of stage to prod and then import the policies.