In the newly installed MRS cluster, Ranger is installed by default, with the Ranger authentication model enabled. The system administrator can set fine-grained security policies for accessing component resources through the component permission plug-ins.
Currently, the following components in a cluster in security mode support Ranger: HDFS, Yarn, HBase, Hive, Spark2x, Kafka, Storm..
Configuring User Permission Policies Using Ranger
- Log in to the Ranger management page as the system administrator.
- In the Service Manager area on the Ranger homepage, click the permission plug-in name of a component. The page for security access policy list of the component is displayed.
In the policy list of each component, many items are generated by default to ensure the permissions of some default users or user groups (such as the supergroup user group). Do not delete these items. Otherwise, the permissions of the default users or user groups are affected.
- Click Add New Policy and configure resource access policies for related users or user groups based on the service scenario plan.
The following policies are examples for different components:
- Adding a Ranger Access Permission Policy for HDFS
- Adding a Ranger Access Permission Policy for HBase
- Adding a Ranger Access Permission Policy for Hive
- Adding a Ranger Access Permission Policy for Yarn
- Adding a Ranger Access Permission Policy for Spark2x
- Adding a Ranger Access Permission Policy for Kafka
- Adding a Ranger Access Permission Policy for Storm
After the policies are added, wait for about 30 seconds for them to take effect.
Each time a component is started, the system checks whether the default Ranger service of the component exists. If the service does not exist, the system creates the Ranger service and adds a default policy for it. If a service is deleted by mistake, you can restart or restart the corresponding component service in rolling mode to restore the service. If the default policy is deleted by mistake, you can manually delete the service and then restart the component service.
- Choose Access Manager > Reports to view all security access policies of each component.
If there are many system policies, filter and search for policies by the policy name, policy type, component, resource, policy label, security zone, user, or user group. Alternatively, click Export to export related policies.
- Generally, only one policy can be configured for a fixed resource object. If multiple policies are configured for the same resource object, the policies cannot be saved.
- For details about the priorities of different policies, see Condition Priorities of the Ranger Permission Policy.
Condition Priorities of the Ranger Permission Policy
When configuring a permission policy for a resource, you can configure Allow Conditions, Exclude from Allow Conditions, Deny Conditions, and Exclude from Deny Conditions for the resource, to meet unexpected requirements in different scenarios.
The priorities of different conditions are listed in descending order: Exclude from Deny Conditions > Deny Conditions > Exclude from Allow Conditions > Allow Conditions
The following figure shows the process of determining condition priorities. If the component resource request does not match the permission policy in Ranger, the system rejects the access by default. However, for HDFS and Yarn, the system delivers the decision to the access control layer of the component for determination.
For example, if you want to grant the read and write permissions of the FileA folder to the groupA user group, but the user in the group is not UserA, you can add an allowed condition and an exception condition.