Cloudera Docs

Ranger RMS (Hive-S3 ACL-Sync) Use Cases

This topic presents a few common use cases for Ranger RMS (Hive-S3 ACL-Sync).

Use Case 1: RMS Hive policies control access to a table's S3 directories

Prerequisites:

  1. Create a "Customer" Hive table under the default database.
  2. Create a "unixuser1" user.
  3. User "unixuser1" does not have any policy to allow it access to table "Customer".
  4. User "unixuser1" tries to access the storage location through the hdfs command.

Before setting up RMS:

If S3 policies configured through Ranger Admin allow access to the location for Customer table, access will be granted to "unixuser1". The audit log will have "ramger-acl" as the access enforcer.

After setting up RMS:

Access will not be granted to user "unixuser1". The audit log will not specify denying policy.

Use Case 2: RMS Hive policies propagate tag-based access control on tables to S3 directories

Prerequisites:

  1. Create a "Customer" Hive table under the default database.
  2. Create a "unixuser1" user.
  3. The tag "SPECIAL_ACCESS" is associated with the "Customer" table.
  4. A policy for the tag "SPECIAL_ACCESS" provides Hive select access to "unixuser1".
  5. User "unixuser1" tries to read the Hive data through the S3 command.

Before setting up RMS:

If S3 policies configureed through Ranger Admin allow access to the location of "Customer" table, access will be granted to ‘"unixuser1". Otherwise, access is denied.

After setting up RMS:

Access will be granted by tag-based policy for "SPECIAL_ACCESS".

Use Case 3: RMS Hive policies propagate tag-based masking on tables and denies access to S3 directories

Prerequisites:

  1. Create a "Customer" Hive table under the default database.
  2. Create a "unixuser1" user.
  3. The tag "SPECIAL_ACCESS" is associated with the "Customer" table.
  4. A policy for the tag "SPECIAL_ACCESS" provides Hive select access to "unixuser1".
  5. A masking policy for the "Customer" table is set up so that for "unixuser1" a column "SSN" is redacted.
  6. User "unixuser1" tries to read the Hive data through the hdfs command.

Before setting up RMS:

If S3 policies configured through Ranger Admin allow access to the location of Customer table, access will be granted to "unixuser1". Otherwise, access is denied.

After setting up RMS:

Access will be denied by the masking policy.

Use Case 4: RMS Hive policies take precedence over S3 policies

Prerequisites:

  1. Create a "Customer" Hive table under the default database.
  2. Create a "unixuser1" user.
  3. User "unixuser1" has a S3 policy allowing read access.
  4. User "unixuser1" has a Hive policy to allow it access to the "Customer" table.
  5. User "unixuser1" tries to access the Hive data through the hdfs command.

Before setting up RMS:

Access will be granted by the Ranger S3 policy.

After setting up RMS:

Access will be granted to the "unixuser1" user through the Hive policy. The audit log should display the same.