Cloudera Docs

Enabling tag-based policies for Ranger RAZ

Enable tag-based authorization for Ranger Remote Authorization Service (RAZ) to extend access control beyond traditional resource-based policies using Apache Atlas classifications. This workflow requires synchronizing S3 metadata using the S3 extractor, classifying resources in Atlas, and creating tag-based policies in Ranger Admin for synchronized AWS resources.

By default, RAZ supports resource-based authorization policies. This means that you configure access control using specific policies for resource types, such as S3 policies for AWS buckets or ADLS policies for Azure blobs.

The Ranger ecosystem, also supports tag-based policies. By associating classification tags with AWS resources, such as buckets, within Apache Atlas, these tags are automatically synchronized to Ranger Admin through TagSync.

This capability allows you to create tag-based policies for S3 buckets directly in Ranger Admin. Since RAZ is a Ranger plugin, it can download these tag-based policies and perform authorization checks based on the associated tags, extending access control capabilities beyond traditional resource-based policies.

To successfully implement this configuration, you must have working knowledge and operational expertise in the following areas:

  • AWS Identity and Access Management (IAM)

  • Cloudera Manager administration

  • Apache Atlas metadata and classifications

  • Ranger Admin authorization policies

  • RAZ functionality and configuration

  1. Configure the S3 extractor and pull metadata of S3 buckets into Atlas.

    For instructions, see S3 Extractor configuration.

  2. Associate resources with appropriate classification tags in Atlas.

    After the S3 metadata is in Atlas, classify your resources, for example, S3 buckets, objects, by associating them with the appropriate Atlas classification tags that will drive your authorization policies. For instructions, refer to Creating classifications.

  3. Create a tag-based policy in Ranger.

    After the classification tags are synchronized from Atlas to Ranger Admin through TagSync, create the tag-based policies. For instructions, refer to Adding tag-based policies.