Apache Atlas in Cloudera
uses Apache Ranger policies to control access to metadata that are managed by Atlas. Ranger
policies also control access to Atlas administrative tasks.
Ranger provides authorization to access the following metadata and operations:
- Types
- Atlas "types" are the entity model definitions, whether provided in Atlas or added in
your environment. Types include these "categories":
- Entity
- Classification
- Relationship
- Business Metadata
- Struct
- Enum
- Ranger authorization allows you to configure access for users and groups to perform the
following operations on types:
-
- Create
- Update
- Delete
- Read
- The policies can be configured to apply to one or more types or all types. For example,
the Atlas administrator user has access to create, update, and delete all type categories
(
type-category *).
- Entities
- Atlas "entities" are instances of entity types: entities represent assets and processes
on your cluster. Ranger authorization allows you to configure access to users and groups
to perform the following operations on entities:
- Read
- Create
- Update
- Delete
- Read classification
- Add classification
- Update classification
- Remove classification
- Add label
- Remove label
- Update Business Metadata
- Note that the classification operations are those that involve associating a
classification to an entity; operations on a classification definition are controlled by
authorization on the classification category of type described previously. Use the
entity authorization to give a user the ability to associate an existing
classification with any entity (
entity-type *); use the type
authorization to give a user the ability to create new classifications
(type-category classification).
- Policies for labels and business metadata work similarly to classifications: you can
control whether users can add labels or business metadata to specific entity types,
individual entities, or entities marked with specific classifications. For example, a
default policy allows any authenticated user to update all business metadata for any
entity types with any classifications and on any instances of entities
(
entity-type *, entity-classification *, entity-id *, entity-business-metadata
*).
- Some Atlas features, such as saved searches, are modeled as entities. You can control
access to these features using entity policies. For example, a default policy
allows any authenticated user to save Atlas searches (
entity-type
__AtlasUserProfile, __AtlasUserSavedSearch).
- Relationships
- Atlas "relationships" describe connections between two entities, including, but not
limited to, the input and output relationships that are used to build lineage graphs.
Ranger authorization allows you to configure access to users and groups to perform the
following operations on relationships:
-
- Add relationship
- Update relationship
- Remove relationship
- These operations are required to build rich models among entities and are granted to
administrative users and system users. Relationships cannot be updated by users through
the Atlas UI.
- Admin operations
- Atlas administrative operations include:
- Import entities
- Export entities
- These operations encompass all the privileges needed to create new and update existing
entities. Typically, this access is granted to administrative users and system users such
as RangerLookup and the Data Plane profiler user (DPProfiler).
