:original_name: mrs_01_1851.html

.. _mrs_01_1851:

Configuring Component Permission Policies
=========================================

In the newly installed MRS cluster, Ranger is installed by default, with the Ranger authentication model enabled. The system administrator can set fine-grained security policies for accessing component resources through the component permission plug-ins.

Currently, the following components in a cluster in security mode support Ranger: HDFS, Yarn, HBase, Hive, Spark2x, Kafka, HetuEngine.

Configuring User Permission Policies Using Ranger
-------------------------------------------------

#. Log in to the Ranger management page as the system administrator.

#. In the **Service Manager** area on the Ranger homepage, click the permission plug-in name of a component. The page for security access policy list of the component is displayed.

   .. note::

      In the policy list of each component, many items are generated by default to ensure the permissions of some default users or user groups (such as the **supergroup** user group). Do not delete these items. Otherwise, the permissions of the default users or user groups are affected.

#. Click **Add New Policy** and configure resource access policies for related users or user groups based on the service scenario plan.

   The following policies are examples for different components:

   -  :ref:`Adding a Ranger Access Permission Policy for HDFS <mrs_01_1856>`
   -  :ref:`Adding a Ranger Access Permission Policy for HBase <mrs_01_1857>`
   -  :ref:`Adding a Ranger Access Permission Policy for Hive <mrs_01_1858>`
   -  :ref:`Adding a Ranger Access Permission Policy for Yarn <mrs_01_1859>`
   -  :ref:`Adding a Ranger Access Permission Policy for Spark2x <mrs_01_1860>`
   -  :ref:`Adding a Ranger Access Permission Policy for Kafka <mrs_01_1861>`
   -  :ref:`Adding a Ranger Access Permission Policy for HetuEngine <mrs_01_1862>`

   After the policies are added, wait for about 30 seconds for them to take effect.

   .. note::

      Each time a component is started, the system checks whether the default Ranger service of the component exists. If the service does not exist, the system creates the Ranger service and adds a default policy for it. If a service is deleted by mistake, you can restart or restart the corresponding component service in rolling mode to restore the service. If the default policy is deleted by mistake, you can manually delete the service and then restart the component service.

#. Choose **Access Manager** > **Reports** to view all security access policies of each component.

   If there are many system policies, filter and search for policies by the policy name, policy type, component, resource, policy label, security zone, user, or user group. Alternatively, click **Export** to export related policies.

   |image1|

   .. note::

      -  Generally, only one policy can be configured for a fixed resource object. If multiple policies are configured for the same resource object, the policies cannot be saved.
      -  For details about the priorities of different policies, see :ref:`Condition Priorities of the Ranger Permission Policy <mrs_01_1851__en-us_topic_0000001219029013_section2381255446>`.

.. _mrs_01_1851__en-us_topic_0000001219029013_section2381255446:

Condition Priorities of the Ranger Permission Policy
----------------------------------------------------

When configuring a permission policy for a resource, you can configure Allow Conditions, Exclude from Allow Conditions, Deny Conditions, and Exclude from Deny Conditions for the resource, to meet unexpected requirements in different scenarios.

The priorities of different conditions are listed in descending order: Exclude from Deny Conditions > Deny Conditions > Exclude from Allow Conditions > Allow Conditions

The following figure shows the process of determining condition priorities. If the component resource request does not match the permission policy in Ranger, the system rejects the access by default. However, for HDFS and Yarn, the system delivers the decision to the access control layer of the component for determination.

|image2|

For example, if you want to grant the read and write permissions of the **FileA** folder to the **groupA** user group, but the user in the group is not **UserA**, you can add an allowed condition and an exception condition.

.. |image1| image:: /_static/images/en-us_image_0000001349139677.png
.. |image2| image:: /_static/images/en-us_image_0000001349259269.png