vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/mrs/component-operation-guide/mrs_01_1856.html
Yang, Tong 6182f91ba8 MRS component operation guide_normal 2.0.38.SP20 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2022-12-09 14:55:21 +00:00

131 lines
19 KiB
HTML
Raw Blame History

<a name="mrs_01_1856"></a><a name="mrs_01_1856"></a>
<h1 class="topictitle1">Adding a Ranger Access Permission Policy for HDFS</h1>
<div id="body1595917962133"><div class="section" id="mrs_01_1856__section1861148182711"><h4 class="sectiontitle">Scenario</h4><p id="mrs_01_1856__p757895715271">The <span id="mrs_01_1856__ph1389213457234">Ranger</span><span id="mrs_01_1856__ph733184682310"> </span>administrator can use Ranger to configure the read, write, and execution permissions on HDFS directories or files for HDFS users.</p>
</div>
<div class="section" id="mrs_01_1856__section11493172153315"><h4 class="sectiontitle">Prerequisites</h4><ul id="mrs_01_1856__ul5357197143515"><li id="mrs_01_1856__li735717193519">The Ranger service has been installed and is running properly.</li><li id="mrs_01_1856__li1516017214353">You have created users, user groups, or roles for which you want to configure permissions.</li></ul>
</div>
<div class="section" id="mrs_01_1856__section783035910271"><h4 class="sectiontitle">Procedure</h4><ol id="mrs_01_1856__ol1065893219380"><li id="mrs_01_1856__li12298114525917"><span>Log in to the Ranger management page.</span></li><li id="mrs_01_1856__li18658932173820"><span>On the homepage, click the component plug-in name in the <strong id="mrs_01_1856__b10698142835518">HDFS</strong> area, for example, <strong id="mrs_01_1856__b6704202845518">hacluster</strong>.</span></li><li id="mrs_01_1856__li1955384410387"><span>Click <strong id="mrs_01_1856__b6615183617551">Add New Policy</strong> to add an HDFS permission control policy.</span></li><li id="mrs_01_1856__li139634483403"><span>Configure the parameters listed in the table below based on the service demands.</span><p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1856__table4469841184115" frame="border" border="1" rules="all"><caption><b>Table 1 </b>HDFS permission parameters</caption><thead align="left"><tr id="mrs_01_1856__row2469841104115"><th align="left" class="cellrowborder" valign="top" width="20%" id="mcps1.3.3.2.4.2.1.2.3.1.1"><p id="mrs_01_1856__p846954194111">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="80%" id="mcps1.3.3.2.4.2.1.2.3.1.2"><p id="mrs_01_1856__p1346904194117">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1856__row1469174110419"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1856__p1469114120417">Policy Name</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1856__p546954144118">Policy name, which can be customized and must be unique in the service.</p>
</td>
</tr>
<tr id="mrs_01_1856__row31471937358"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1856__p5148113712519">Policy Conditions</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1856__p15148137959">IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, <strong id="mrs_01_1856__b08205132110">192.168.1.10</strong>,<strong id="mrs_01_1856__b127722157112">192.168.1.20</strong>, or <strong id="mrs_01_1856__b102081918111110">192.168.1.*</strong>.</p>
</td>
</tr>
<tr id="mrs_01_1856__row106814182213"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1856__p196910112228">Policy Label</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1856__p5695112225">A label specified for the current policy. You can search for reports and filter policies based on labels.</p>
</td>
</tr>
<tr id="mrs_01_1856__row104697417417"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1856__p1598819376474">Resource Path</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1856__p10988837194720">Resource path, which is the HDFS path folder or file to which the current policy applies. You can enter multiple values and use the wildcard (*), for example, <strong id="mrs_01_1856__b123003110561">/test/*</strong>.</p>
<p id="mrs_01_1856__p549418517525">To enable a subdirectory to inherit the permission of its upper-level directory, enable the recursion function.</p>
<p id="mrs_01_1856__p1287718368143">If recursion is enabled for the parent directory and a policy is configured for the subdirectory, the policy configured for the subdirectory is used.</p>
<ul id="mrs_01_1856__ul18956181511313"><li id="mrs_01_1856__li1395613151438"><strong id="mrs_01_1856__b2052793281614">non-recursive</strong>: recursion disabled</li><li id="mrs_01_1856__li142609275313"><strong id="mrs_01_1856__b235615389162">recursive</strong>: recursion enabled</li></ul>
</td>
</tr>
<tr id="mrs_01_1856__row10990613111914"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1856__p2990131381917">Description</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1856__p699012134196">Policy description.</p>
</td>
</tr>
<tr id="mrs_01_1856__row12469141164113"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1856__p898812379471">Audit Logging</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1856__p18988437174719">Whether to audit the policy.</p>
</td>
</tr>
<tr id="mrs_01_1856__row29973720471"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1856__p11995376471">Allow Conditions</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1856__p18991137164717">Permission and exception conditions allowed by a policy. The priority of an exception condition is higher than that of a normal condition.</p>
<p id="mrs_01_1856__p1819113143111">In the <strong id="mrs_01_1856__b2092182416101">Select Role</strong>, <strong id="mrs_01_1856__b990620262103">Select Group</strong>, and <strong id="mrs_01_1856__b2200133012106">Select User</strong> columns, select the role, user group, or user to which the permission is to be granted, click <strong id="mrs_01_1856__b2068164019104">Add Conditions</strong>, add the IP address range to which the policy applies, and click <strong id="mrs_01_1856__b910154914102">Add Permissions</strong> to add the corresponding permission.</p>
<ul id="mrs_01_1856__ul183931610151418"><li id="mrs_01_1856__li2039341013144"><strong id="mrs_01_1856__b61891943141611">Read</strong>: permission to read data</li><li id="mrs_01_1856__li691217172146"><strong id="mrs_01_1856__b6332184741617">Write</strong>: permission to write data</li><li id="mrs_01_1856__li8597132031418"><strong id="mrs_01_1856__b10203251181612">Execute</strong>: execution permission</li><li id="mrs_01_1856__li576593075713"><strong id="mrs_01_1856__b34018712116">Select/Deselect All</strong>: Select or deselect all.</li></ul>
<p id="mrs_01_1856__p1545113122150">If users or user groups in the current condition need to manage this policy, select <strong id="mrs_01_1856__b7588452115820">Delegate Admin</strong>. These users or user groups will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy.</p>
<p id="mrs_01_1856__p1455931125418">To add multiple permission control rules, click <span><img id="mrs_01_1856__image39121143141112" src="en-us_image_0000001349289373.png"></span>. To delete a permission control rule, click <span><img id="mrs_01_1856__image9311372338" src="en-us_image_0000001348770093.png"></span>.</p>
<p id="mrs_01_1856__p830416219359">Exclude from Allow Conditions: exception rules excluded from the allowed conditions</p>
</td>
</tr>
<tr id="mrs_01_1856__row4714175405513"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1856__p18715135417554">Deny All Other Accesses</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1856__p144192211564">Whether to reject all other access requests.</p>
<ul id="mrs_01_1856__ul1869410255564"><li id="mrs_01_1856__li16941255562"><strong id="mrs_01_1856__b8643671179">True</strong>: All other access requests are rejected.</li><li id="mrs_01_1856__li1769402595615"><strong id="mrs_01_1856__b393714915176">False</strong>: <strong id="mrs_01_1856__b1836164310591">Deny Conditions</strong> can be configured.</li></ul>
</td>
</tr>
<tr id="mrs_01_1856__row899937184718"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1856__p5991537154719">Deny Conditions</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1856__p1799337194719">Policy rejection condition, which is used to configure the permissions and exceptions to be denied in the policy. The configuration method is the same as that of <strong id="mrs_01_1856__b14553170706">Allow Conditions</strong>. The priority of the rejection condition is higher than that of the allowed conditions configured in <strong id="mrs_01_1856__b165581409014">Allow Conditions</strong>.</p>
<p id="mrs_01_1856__p10996114819815"><strong id="mrs_01_1856__b13402122261712">Exclude from Deny Conditions</strong>: exception rules excluded from the denied conditions</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="mrs_01_1856__p856294531710">For example, to add the write permission for the <strong id="mrs_01_1856__b1326518201103">/user/test</strong> directory of user <strong id="mrs_01_1856__b1927017201605">testuser</strong>, the configuration is as follows:</p>
<p id="mrs_01_1856__p664045716512"><span><img id="mrs_01_1856__image1664015715510" src="en-us_image_0000001389252974.png"></span></p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1856__tc5a4f557e6144488a1ace112bb8db6ee" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Setting permissions</caption><thead align="left"><tr id="mrs_01_1856__rf34d31ecea1e4bfa83b3c049c1dd41f8"><th align="left" class="cellrowborder" valign="top" width="37.41%" id="mcps1.3.3.2.4.2.4.2.3.1.1"><p id="mrs_01_1856__aadbfbbb39d0e4ba8a7478c93d9cad42e">Task</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="62.59%" id="mcps1.3.3.2.4.2.4.2.3.1.2"><p id="mrs_01_1856__acf9e0c106c8d4c9c9cd716218e90bdae">Role Authorization</p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1856__row1296983113534"><td class="cellrowborder" valign="top" width="37.41%" headers="mcps1.3.3.2.4.2.4.2.3.1.1 "><p id="mrs_01_1856__p57634569113541">Setting the HDFS administrator permission</p>
</td>
<td class="cellrowborder" valign="top" width="62.59%" headers="mcps1.3.3.2.4.2.4.2.3.1.2 "><ol type="a" id="mrs_01_1856__ol9811840103417"><li id="mrs_01_1856__li3811140173416">On the homepage, click the component plug-in name in the <strong id="mrs_01_1856__b174332513113">HDFS</strong> area, for example, <strong id="mrs_01_1856__b443910512117">hacluster</strong>.</li><li id="mrs_01_1856__li13360163663816">Select the policy whose <strong id="mrs_01_1856__b1036098319">Policy Name</strong> is <strong id="mrs_01_1856__b1136078018">all - path</strong> and click <span><img id="mrs_01_1856__image262417334017" src="en-us_image_0000001295930232.png"></span> to edit the policy.</li><li id="mrs_01_1856__li1369322054013">In the <strong id="mrs_01_1856__b1144210192117">Allow Conditions</strong> area, select a user from the <strong id="mrs_01_1856__b8443419815">Select User</strong> drop-down list.</li></ol>
</td>
</tr>
<tr id="mrs_01_1856__rf9e165cafb794eb68c0c4850bc7c9547"><td class="cellrowborder" valign="top" width="37.41%" headers="mcps1.3.3.2.4.2.4.2.3.1.1 "><p id="mrs_01_1856__a2474c3f6e8c34b6bb82e42bbdb74ea85">Setting the permission for users to check and recover HDFS</p>
</td>
<td class="cellrowborder" valign="top" width="62.59%" headers="mcps1.3.3.2.4.2.4.2.3.1.2 "><ol type="a" id="mrs_01_1856__o1e958b1ec20d47768de7dd002b059e50"><li id="mrs_01_1856__ld973a3178b874b2991a34724362edeaa">Add a folder or a file path in <strong id="mrs_01_1856__b822719292112">Resource Path</strong>.</li><li id="mrs_01_1856__l90a887e837424d2e9d0e4edb5bc29030">In the <strong id="mrs_01_1856__b77634321014">Allow Conditions</strong> area, select a user from the <strong id="mrs_01_1856__b1876983213115">Select User</strong> drop-down list.</li><li id="mrs_01_1856__la261edb792114984b435ac93df993a6c">Click <strong id="mrs_01_1856__b139715561513">Add Permissions</strong> and select <strong id="mrs_01_1856__b18398155619117">Read</strong> and <strong id="mrs_01_1856__b1439916561313">Execute</strong>.</li></ol>
</td>
</tr>
<tr id="mrs_01_1856__rac8abf6080f948f2837354b9ee1f2eae"><td class="cellrowborder" valign="top" width="37.41%" headers="mcps1.3.3.2.4.2.4.2.3.1.1 "><p id="mrs_01_1856__a44e5153fd70d40e39b0a15843dadcbc3">Setting the permission for users to read directories or files of other users</p>
</td>
<td class="cellrowborder" valign="top" width="62.59%" headers="mcps1.3.3.2.4.2.4.2.3.1.2 "><ol type="a" id="mrs_01_1856__o9a0ec8b0fd9e42d382778df75c50cbe1"><li id="mrs_01_1856__li240875211401">Add a folder or a file path in <strong id="mrs_01_1856__b571851022">Resource Path</strong>.</li><li id="mrs_01_1856__li1375017398406">In the <strong id="mrs_01_1856__b1723280218">Allow Conditions</strong> area, select a user from the <strong id="mrs_01_1856__b22417818211">Select User</strong> drop-down list.</li><li id="mrs_01_1856__l6dfdbf89d41a4bd79c5d6fc664702669">Click <strong id="mrs_01_1856__b837204119219">Add Permissions</strong> and select <strong id="mrs_01_1856__b13378441323">Read</strong> and <strong id="mrs_01_1856__b3379114115210">Execute</strong>.</li></ol>
</td>
</tr>
<tr id="mrs_01_1856__r8fed251f76ed451c8aac26345e3c05eb"><td class="cellrowborder" valign="top" width="37.41%" headers="mcps1.3.3.2.4.2.4.2.3.1.1 "><p id="mrs_01_1856__a704526dfe1054cb2896940af773263dc">Setting the permission for users to write data to files of other users</p>
</td>
<td class="cellrowborder" valign="top" width="62.59%" headers="mcps1.3.3.2.4.2.4.2.3.1.2 "><ol type="a" id="mrs_01_1856__o4fa07111ada04dfc8e7c44b5a19c4834"><li id="mrs_01_1856__li161018543415">Add a folder or a file path in <strong id="mrs_01_1856__b15797184610213">Resource Path</strong>.</li><li id="mrs_01_1856__l8d58d349fcd042c3b69dfcbe8788d741">In the <strong id="mrs_01_1856__b395044815213">Allow Conditions</strong> area, select a user from the <strong id="mrs_01_1856__b18951184819216">Select User</strong> drop-down list.</li><li id="mrs_01_1856__ld8bc3344800448908c36bc13c73993c8">Click <strong id="mrs_01_1856__b1588085919219">Add Permissions</strong> and select <strong id="mrs_01_1856__b198860592215">Write</strong> and <strong id="mrs_01_1856__b148870598216">Execute</strong>.</li></ol>
</td>
</tr>
<tr id="mrs_01_1856__re017a0dbcf9e42efa1310e1106db7d31"><td class="cellrowborder" valign="top" width="37.41%" headers="mcps1.3.3.2.4.2.4.2.3.1.1 "><p id="mrs_01_1856__a21c768ba621b4b848ae8e2ef41a978a0">Setting the permission for users to create or delete sub-files or sub-directories in the directory of other users</p>
</td>
<td class="cellrowborder" valign="top" width="62.59%" headers="mcps1.3.3.2.4.2.4.2.3.1.2 "><ol type="a" id="mrs_01_1856__oe6b0d0e9c3a0463385039a4affb02ac7"><li id="mrs_01_1856__li118832015144218">Add a folder or a file path in <strong id="mrs_01_1856__b2028710319319">Resource Path</strong>.</li><li id="mrs_01_1856__li073312714210">In the <strong id="mrs_01_1856__b659818610320">Allow Conditions</strong> area, select a user from the <strong id="mrs_01_1856__b105999614310">Select User</strong> drop-down list.</li><li id="mrs_01_1856__lcc818b93fd7f45ce8a4ffd6b3aae63a8">Click <strong id="mrs_01_1856__b172019919312">Add Permissions</strong> and select <strong id="mrs_01_1856__b1220713915320">Write</strong> and <strong id="mrs_01_1856__b122081895311">Execute</strong>.</li></ol>
</td>
</tr>
<tr id="mrs_01_1856__rd5217b631eb6421aa7c45644bc254a13"><td class="cellrowborder" valign="top" width="37.41%" headers="mcps1.3.3.2.4.2.4.2.3.1.1 "><p id="mrs_01_1856__a32d8391db46e4787a7d096da8a671898">Setting the permission for users to execute directories or files of other users</p>
</td>
<td class="cellrowborder" valign="top" width="62.59%" headers="mcps1.3.3.2.4.2.4.2.3.1.2 "><ol type="a" id="mrs_01_1856__o80b909ed22fd45f8baffe926ef71587f"><li id="mrs_01_1856__li623663519422">Add a folder or a file path in <strong id="mrs_01_1856__b25597131737">Resource Path</strong>.</li><li id="mrs_01_1856__li1569632216425">In the <strong id="mrs_01_1856__b86937181139">Allow Conditions</strong> area, select a user from the <strong id="mrs_01_1856__b5698111812313">Select User</strong> drop-down list.</li><li id="mrs_01_1856__l2a448ca013bc4123ba33c29bc60b8ae1">Click <strong id="mrs_01_1856__b1846782012313">Add Permissions</strong> and select <strong id="mrs_01_1856__b1246817201634">Execute</strong>.</li></ol>
</td>
</tr>
<tr id="mrs_01_1856__r8e38f61d29dd4e1891c772dbac3b9553"><td class="cellrowborder" valign="top" width="37.41%" headers="mcps1.3.3.2.4.2.4.2.3.1.1 "><p id="mrs_01_1856__aa0f319c900db48d09482597f63c8c3a8">Setting the permission for allowing subdirectories to inherit all permissions of their parent directories</p>
</td>
<td class="cellrowborder" valign="top" width="62.59%" headers="mcps1.3.3.2.4.2.4.2.3.1.2 "><ol type="a" id="mrs_01_1856__o5ed1ea0602864bf69370bc42e1862a76"><li id="mrs_01_1856__l8f68db749be04f85834a14e4c37741b2">Add a folder or a file path in <strong id="mrs_01_1856__b8945752121715">Resource Path</strong>.</li><li id="mrs_01_1856__l93b59f0c5d54426aa46fd67f66cf3910">Enable the recursion function. <strong id="mrs_01_1856__b1741565412175">Recursive</strong> indicates that recursion is enabled.</li></ol>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="mrs_01_1856__li1843153914410"><span>(Optional) Add the validity period of the policy. Click <strong id="mrs_01_1856__b779016593173">Add Validity period</strong> in the upper right corner of the page, set <strong id="mrs_01_1856__b2796759141716">Start Time</strong> and <strong id="mrs_01_1856__b1879716594179">End Time</strong>, and select <strong id="mrs_01_1856__b1379715941714">Time Zone</strong>. Click <strong id="mrs_01_1856__b64628014713">Save</strong>. To add multiple policy validity periods, click <span><img id="mrs_01_1856__image15741956174617" src="en-us_image_0000001349169797.png"></span>. To delete a policy validity period, click <span><img id="mrs_01_1856__image9741115619467" src="en-us_image_0000001349169801.png"></span>.</span></li><li id="mrs_01_1856__li18337132412418"><span>Click <strong id="mrs_01_1856__b1064710450186">Add</strong> to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.</span><p><p id="mrs_01_1856__p63219632216">To disable a policy, click <span><img id="mrs_01_1856__image1876104732217" src="en-us_image_0000001295930236.png"></span> to edit the policy and set the policy to <strong id="mrs_01_1856__b1703185016193">Disabled</strong>.</p>
<p id="mrs_01_1856__p1156483182316">If a policy is no longer used, click <span><img id="mrs_01_1856__image79841567249" src="en-us_image_0000001349089905.png"></span> to delete it.</p>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_1849.html">Using Ranger (MRS 3.x)</a></div>
</div>
</div>
View Git Blame Copy Permalink