Configuring Ranger Authorization for Atlas
Atlas is configured to use Ranger for authorization by default. You might need to change configuration settings to disable Ranger as the source of authorization in a development environment; Ranger authorization is highly recommended in a production environment. In addition, there are some configuration values that you might need to change should you make significant changes to how Atlas and Ranger are installed in your cluster.
Atlas behaves like any other service when it comes to integrating with Ranger for access control: turn on Ranger authorization from the Cloudera Manager configuration page for the Atlas service. This integration allows Atlas to use Ranger policies to determine authorization for user actions in Atlas; Atlas also reports success or failure against the policies back to Ranger. In addition to this standard integration for authorization, Atlas integrates with Ranger to send metadata updates to Ranger using a Kafka topic. The configuration properties that support the two integration paths include specifying HDFS locations for caching Ranger policies, storing Atlas audits, and storing other metadata exchanged between the two services. In rare circumstances, you may need to relocate these storage locations.
Minimum Required Role in Cloudera Manager: Full Administrator.
- In Cloudera Manager, select the Atlas service, then open the Configuration tab.
- To display the Ranger configuration settings, type "ranger" in the Search box.
To modify the behavior of the Atlas to Ranger integration, update
the following properties:
- To disable Atlas authentication through Ranger
- Uncheck the RANGER Service property. Leave the supporting properties as is so you can re-instate Ranger easily if needed.
- To set where Atlas stores intermediate data for Ranger audits and cached authorization policies
- Review and potentially change the path value for these
- Ranger Atlas Plugin Hdfs Audit Directory (HDFS location)
- Ranger Atlas Plugin Audit Hdfs Spool Directory Path (local file system location)
- Ranger Atlas Plugin Audit Solr Spool Directory Path (local file system location)
- Ranger Atlas Plugin Policy Cache Directory Path (local file system location)
- To re-instate Ranger after disabling it
- Enable the RANGER Service property. The supporting properties should still be available.
- Restart the Atlas service.