vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/mrs/component-operation-guide/mrs_01_1851.html
Yang, Tong 6182f91ba8 MRS component operation guide_normal 2.0.38.SP20 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2022-12-09 14:55:21 +00:00

32 lines
7.0 KiB
HTML
Raw Blame History

<a name="mrs_01_1851"></a><a name="mrs_01_1851"></a>
<h1 class="topictitle1">Configuring Component Permission Policies</h1>
<div id="body1595917958998"><p id="mrs_01_1851__p1380014224018">In the newly installed <span id="mrs_01_1851__text923114306417">MRS</span> cluster, Ranger is installed by default, with the Ranger authentication model enabled. The <span id="mrs_01_1851__ph831843855913">system </span>administrator can set fine-grained security policies for accessing component resources through the component permission plug-ins.</p>
<p id="mrs_01_1851__p155849124316">Currently, the following components in a cluster in security mode support Ranger: <span id="mrs_01_1851__text86481746134415">HDFS, Yarn, HBase, Hive, Spark2x, Kafka, Storm.</span>.</p>
<div class="section" id="mrs_01_1851__section342011207398"><h4 class="sectiontitle">Configuring User Permission Policies Using Ranger</h4><ol id="mrs_01_1851__ol18441518103215"><li id="mrs_01_1851__li58441318173210"><span>Log in to the Ranger management page as the <span id="mrs_01_1851__ph4543922605">system </span>administrator.</span></li><li id="mrs_01_1851__li57185284516"><span>In the <strong id="mrs_01_1851__b02711523165213">Service Manager</strong> area on the Ranger homepage, click the permission plug-in name of a component. The page for security access policy list of the component is displayed.</span><p><div class="note" id="mrs_01_1851__note3665101145213"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1851__p146661117522">In the policy list of each component, many items are generated by default to ensure the permissions of some default users or user groups (such as the <strong id="mrs_01_1851__b147421437195217">supergroup</strong> user group). Do not delete these items. Otherwise, the permissions of the default users or user groups are affected.</p>
</div></div>
</p></li><li id="mrs_01_1851__li15584102711513"><span>Click <strong id="mrs_01_1851__b56992441893">Add New Policy</strong> and configure resource access policies for related users or user groups based on the service scenario plan.</span><p><p id="mrs_01_1851__p050313465117">The following policies are examples for different components:</p>
<ul id="mrs_01_1851__ul79191810821"><li id="mrs_01_1851__li236015315414"><a href="mrs_01_1856.html">Adding a Ranger Access Permission Policy for HDFS</a></li><li id="mrs_01_1851__li99173811556"><a href="mrs_01_1857.html">Adding a Ranger Access Permission Policy for HBase</a></li><li id="mrs_01_1851__li2151131218553"><a href="mrs_01_1858.html">Adding a Ranger Access Permission Policy for Hive</a></li><li id="mrs_01_1851__li128531014195510"><a href="mrs_01_1859.html">Adding a Ranger Access Permission Policy for Yarn</a></li><li id="mrs_01_1851__li253818180552"><a href="mrs_01_1860.html">Adding a Ranger Access Permission Policy for Spark2x</a></li><li id="mrs_01_1851__li17240822105516"><a href="mrs_01_1861.html">Adding a Ranger Access Permission Policy for Kafka</a></li><li id="mrs_01_1851__li7177173065517"><a href="mrs_01_1863.html">Adding a Ranger Access Permission Policy for Storm</a></li></ul>
<p id="mrs_01_1851__p786310493212">After the policies are added, wait for about 30 seconds for them to take effect.</p>
<div class="note" id="mrs_01_1851__note97312517522"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1851__p419220362529">Each time a component is started, the system checks whether the default Ranger service of the component exists. If the service does not exist, the system creates the Ranger service and adds a default policy for it. If a service is deleted by mistake, you can restart or restart the corresponding component service in rolling mode to restore the service. If the default policy is deleted by mistake, you can manually delete the service and then restart the component service.</p>
</div></div>
</p></li><li id="mrs_01_1851__li18491027191020"><span>Choose <strong id="mrs_01_1851__b15877103211123">Access Manager</strong> &gt; <strong id="mrs_01_1851__b787823211122">Reports</strong> to view all security access policies of each component.</span><p><p id="mrs_01_1851__p1316611388101">If there are many system policies, filter and search for policies by the policy name, policy type, component, resource, policy label, security zone, user, or user group. Alternatively, click <strong id="mrs_01_1851__b744193511214">Export</strong> to export related policies.</p>
<p id="mrs_01_1851__p1589604124310"><span><img id="mrs_01_1851__image3896749439" src="en-us_image_0000001348770113.png"></span></p>
<div class="note" id="mrs_01_1851__note15336133773920"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="mrs_01_1851__ul1741072424212"><li id="mrs_01_1851__li174105247428">Generally, only one policy can be configured for a fixed resource object. If multiple policies are configured for the same resource object, the policies cannot be saved.</li><li id="mrs_01_1851__li13433425154211">For details about the priorities of different policies, see <a href="#mrs_01_1851__section2381255446">Condition Priorities of the Ranger Permission Policy</a>.</li></ul>
</div></div>
</p></li></ol>
</div>
<div class="section" id="mrs_01_1851__section2381255446"><a name="mrs_01_1851__section2381255446"></a><a name="section2381255446"></a><h4 class="sectiontitle">Condition Priorities of the Ranger Permission Policy</h4><p id="mrs_01_1851__p1374519251448">When configuring a permission policy for a resource, you can configure Allow Conditions, Exclude from Allow Conditions, Deny Conditions, and Exclude from Deny Conditions for the resource, to meet unexpected requirements in different scenarios.</p>
<p id="mrs_01_1851__p18450652173817">The priorities of different conditions are listed in descending order: Exclude from Deny Conditions &gt; Deny Conditions &gt; Exclude from Allow Conditions &gt; Allow Conditions</p>
<p id="mrs_01_1851__p1350585152418">The following figure shows the process of determining condition priorities. If the component resource request does not match the permission policy in Ranger, the system rejects the access by default. However, for HDFS and Yarn, the system delivers the decision to the access control layer of the component for determination.</p>
<p id="mrs_01_1851__p6252113182417"><span><img id="mrs_01_1851__image1875843317387" src="en-us_image_0000001296249724.png"></span></p>
<p id="mrs_01_1851__p966817319207">For example, if you want to grant the read and write permissions of the <strong id="mrs_01_1851__b154912581143">FileA</strong> folder to the <strong id="mrs_01_1851__b84975589148">groupA</strong> user group, but the user in the group is not <strong id="mrs_01_1851__b5497155819143">UserA</strong>, you can add an allowed condition and an exception condition.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_1849.html">Using Ranger (MRS 3.x)</a></div>
</div>
</div>
View Git Blame Copy Permalink