Adding a Ranger Access Permission Policy for CDL

Scenario

Ranger administrators can use Ranger to configure creation, execution, query, and deletion permissions for CDL users.

Prerequisites

Procedure

  1. Log in to the Ranger web UI as the Ranger administrator rangeradmin. For details, see Logging In to the Ranger Web UI.
  2. On the home page, click the component plug-in name in the CDL area, for example, CDL.
  3. Click Add New Policy to add a CDL permission control policy.
  4. Configure the parameters listed in the table below based on the service demands.

    Table 1 CDL permission parameters

    Parameter

    Description

    Policy Type

    Access.

    Policy Conditions

    IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, 192.168.1.10, 192.168.1.20, or 192.168.1.*.

    Policy Name

    Policy name, which can be customized and must be unique in the service.

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    job

    Name of the job applicable to the current policy. You can enter multiple values. The value can contain wildcards, such as test, test*, and *.

    The Include policy applies to the current input object, and the Exclude policy applies to objects other than the current input object.

    Description

    Policy description.

    Audit Logging

    Whether to audit the policy.

    Allow Conditions

    Permission and exception conditions allowed by a policy. The priority of an exception condition is higher than that of a normal condition.

    In the Select Role, Select Group, and Select User columns, select the role, user group, or user to which you want to assign permissions.

    Click Add Conditions, add the IP address range to which the policy applies, and click Add Permissions to add corresponding permissions.

    • Create permission.
    • Execute permission.
    • Delete permission.
    • Update permission.
    • Get permission.
    • Select/Deselect All permission.

    To add multiple permission control rules, click .

    If users or user groups in the current condition need to manage this policy, select Delegate Admin. These users will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy.

    Deny Conditions

    Policy rejection condition, which is used to configure the permissions and exceptions to be denied in the policy. The configuration method is the same as that of Allow Conditions. The priority of the rejection condition is higher than that of the allowed conditions configured in Allow Conditions.
    Table 2 Setting user permissions

    Scenario

    Role Authorization

    Setting the CDL administrator permission
    1. On the home page, click the component plug-in name in the CDL area, for example, CDL.
    2. Select the policies whose Policy Name is all - job, all - link, all - driver or all - env, and click to edit the policies.
    3. In the Allow Conditions area, select a user from the Select User drop-down list.
    4. Click Add Permissions and select Select/Deselect All.

    Setting the permission to manage a CDL job
    1. Select a CDL job name from the job drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Select/Deselect All.

    Setting the permission to create a CDL job
    1. Select a CDL job name from the job drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Create.
      NOTE:

      By default, all users have the permission to create a CDL job.

    Setting the permission to delete a CDL job
    1. Select a CDL job name from the job drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Delete.

    Setting the permission to obtain information about a CDL job
    1. Select a CDL job name from the job drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Get.

    Setting the permission to execute a CDL job
    1. Select a CDL job name from the job drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Execute.

    Setting the permission to manage a CDL data link
    1. Select the CDL data link name on the right of the link drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Select/Deselect All.

    Setting the permission to create a CDL data link
    1. Select the CDL data link name on the right of the link drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Create.
      NOTE:

      By default, all users have the permission to creat CDL data links.

    Setting the permission to delete a CDL data link
    1. Select the CDL data link name on the right of the link drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Delete.

    Setting the permission to update a CDL data link
    1. Select the CDL data link name on the right of the link drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Update.

    Setting the permission to obtain information about a CDL data link
    1. Select the CDL data link name on the right of the link drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Get.

    Setting the permission to manage a CDL driver
    1. Select the CDL driver name on the right of the driver drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Select/Deselect All.

    Setting the permission to delete a CDL driver
    1. Select the CDL driver name on the right of the driver drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Delete.

    Setting the permission to update a CDL driver
    1. Select the CDL driver name on the right of the driver drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Update.

    Setting the permission to obtain information about a CDL driver
    1. Select the CDL driver name on the right of the driver drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Get.

    Setting the permission to manage a CDL environment variable
    1. Select the CDL environment variable name on the right of the env drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Select/Deselect All.

    Setting the permission to create a CDL environment variable
    1. Select the CDL environment variable name on the right of the env drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Create.
      NOTE:

      By default, all users have the permission to create a CDL environment variable.

    Setting the permission to delete a CDL environment variable
    1. Select the CDL environment variable name on the right of the env drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Delete.

    Setting the permission to update a CDL environment variable
    1. Select the CDL environment variable name on the right of the env drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Update.

    Setting the permission to obtain information about a CDL environment variable
    1. Select the CDL environment variable name on the right of the env drop-down list.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Get.

  5. (Optional) Add the validity period of the policy. Click Add Validity period in the upper right corner of the page, set Start Time and End Time, and select Time Zone. Click Save. To add multiple policy validity periods, click . To delete a policy validity period, click .
  6. Click Add to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.

    To disable a policy, click to edit the policy and set the policy to Disabled.

    If a policy is no longer used, click to delete it.

Parent topic: Using Ranger