Adding a Ranger Access Permission Policy for HetuEngine¶
Scenario¶
Ranger administrators can use Ranger to configure the permission to manage databases, tables, and columns of data sources for HetuEngine users.
Prerequisites¶
The Ranger service has been installed and is running properly.
You have created users, user groups, or roles for which you want to configure permissions.
The users have been added to the hetuadmin group.
Before using HetuEngine, ensure that the client operator or user in the configuration file for connecting to the data source has the expected operation permission. If the user does not have it, configure the permission by referring to the corresponding data source permission requirements.
Procedure¶
Log in to the Ranger web UI. Click HetuEngine in the PRESTO area on the homepage.
On the Access tab page, click Add New Policy to add a HetuEngine permission control policy.
Configure the parameters listed in the table below based on the service demands.
¶ Parameter
Description
Policy Name
Policy name, which can be customized and must be unique in the service.
Enabled: Enable the current policy.
Disabled: Disable the current policy.
Policy Conditions
IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (
*
), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.Policy Label
A label specified for the current policy. You can search for reports and filter policies based on labels.
Presto Catalog
Name of the data source catalog to which the policy applies. If this parameter is set to *, the policy applies to all catalogs.
Include: The policy applies to the current input object.
Exclude: The policy applies to objects other than the current input.
Schema
Name of the schema to which the policy applies. The value * indicates all schemas.
Include: The policy applies to the current input object.
Exclude: The policy applies to objects other than the current input.
table
Name of the table or view to which the policy applies. If this parameter is set to *, the policy applies to all tables.
Include: The policy applies to the current input object.
Exclude: The policy applies to objects other than the current input.
Column
Name of the column to which the policy applies. The value * indicates all columns.
Description
Policy description.
Audit Logging
Whether to audit the policy.
Allow Conditions
Policy allowed condition. You can configure permissions and exceptions allowed by the policy.
In the Select Role, Select Group, and Select User columns, select the role, user group, or user to which you want to assign permissions. Click Add Conditions, add the IP address range to which the policy applies, and click Add Permissions to add corresponding permissions.
Select: permission to query data
Insert: permission to insert data
Create: permission to create data
Drop: permission to drop data
Delete: permission to delete data
Use: permission to use data
Alter: permission to alter data
Update: permission to update data
Admin: admin permissions (control ACL operations, such as SET SESSION, GRANT, and REVOKE)
All: all permissions (including the Admin permission)
Select/Deselect All: Select or deselect all.
To add multiple permission control rules, click .
If users or user groups in the current condition need to manage this policy, select Delegate Admin. These users will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy.
Deny Conditions
Policy rejection condition, which is used to configure the permissions and exceptions to be denied in the policy. The configuration method is the same as that of Allow Conditions.
¶ Task
Role Authorization
Granting the access policy to the catalog where the table is located
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the resource to be authorized, for example, hive.
Enter the authorized Hetu user in the Select User text box.
In Permissions, select Select.
Note
This policy is a basic policy. Before configuring other policies, ensure that this policy has been configured.
Granting the permission to access the remote HetuEngine table
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the table to be authorized, for example, systemremote and svc.
Select schema from the drop-down list box under Presto Catalog and enter * in the text box.
Select table from the drop-down list box under schema and enter * in the text box.
Select column from the drop-down list box under table and enter * in the text box.
Enter the authorized remote HetuEngine user in the Select User text box.
In Permissions, select Create, Drop, Select, and Insert.
Note
This policy is a basic policy for remote HetuEngine tables. Before configuring other policies, ensure that this policy has been configured.
Create schemas
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
Select schema from the drop-down list box under Presto Catalog and enter the name of the target schema to be authorized in the text box. If this parameter is set to *, all schemas under the current catalog are authorized.
Enter the authorized Hetu user in the Select User text box.
In Permissions, select Create.
Drop schemas
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
Select schema from the drop-down list box under Presto Catalog and enter the name of the target schema to be authorized in the text box. If this parameter is set to *, all schemas under the current catalog are authorized.
Enter the authorized Hetu user in the Select User text box.
In Permissions, select Drop.
Create table
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
Enter the authorized Hetu user in the Select User text box.
In Permissions, select Create.
Drop tables
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
Enter the authorized Hetu user in the Select User text box.
In Permissions, select Drop.
Alter tables
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
Enter the authorized Hetu user in the Select User text box.
In Permissions, select Alter.
Note
ALTER TABLE table_name DROP [IF EXISTS] PARTITION partition_spec[, PARTITION partition_spec, ...]; requires the table-level delete and column-level select permissions.
Show tables
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
Select schema from the drop-down list box under Presto Catalog and enter the name of the target schema that allows to show table in the text box, for example, default.
Enter the authorized Hetu user in the Select User text box.
In Permissions, select Select.
Insert tables
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
Enter the authorized Hetu user in the Select User text box.
In Permissions, select Insert.
Delete
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
Enter the authorized Hetu user in the Select User text box.
In Permissions, select Delete.
Select
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box.
Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
Select column from the drop-down list box under table and enter the name of the target column to be authorized in the text box. If this parameter is set to *, all columns under the current table are authorized.
Enter the authorized Hetu user in the Select User text box.
In Permissions, select Select.
Show columns
Enter the policy name in Policy Name.
In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
Select column from the drop-down list box under table and enter the name of the target column to be authorized in the text box. If this parameter is set to *, all columns under the current table are authorized.
Enter the authorized Hetu user in the Select User text box.
In Permissions, select Select.
Set sessions
Enter the policy name in Policy Name.
Enter * in the Presto Catalog text box.
Enter the authorized Hetu user in the Select User text box.
Select Delegate Admin.
Note
The configuration takes effect about 30 seconds after the permission is configured.
The current permission control is available to columns.
(Optional) Add the validity period of the policy. Click Add Validity period in the upper right corner of the page, set Start Time and End Time, and select Time Zone. Click Save. To add multiple policy validity periods, click . To delete a policy validity period, click .
Click Add to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.
To disable a policy, click to edit the policy and set the policy to Disabled.
If a policy is no longer used, click to delete it.
HetuEngine Data Masking¶
Ranger supports data masking for HetuEngine data. It can process the return result of the select operation performed by a user to mask sensitive information.
Log in to the Ranger web UI. Click HetuEngine in the PRESTO area on the homepage.
On the Masking tab page, click Add New Policy to add a HetuEngine data masking policy.
Configure the parameters listed in the table below based on the service demands.
¶ Parameter
Description
Policy Name
Policy name, which can be customized and must be unique in the service.
Policy Conditions
IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (
*
), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.Policy Label
A label specified for the current policy. You can search for reports and filter policies based on labels.
Presto Catalog
Name of the catalog to which the current policy applies.
Presto Schema
Name of the database to which the current policy applies.
Presto Table
Name of the table to which the current policy applies.
Presto Column
Name of the column to which the current policy applies.
Description
Policy description.
Audit Logging
Whether to audit the policy.
Mask Conditions
In the Select Role, Select Group, and Select User columns, select the object to which the permission is to be granted, click Add Conditions, add the IP address range to which the policy applies, then click Add Permissions, and select Select.
Click Select Masking Option and select a data masking policy.
Redact: Use x to mask all letters and 0 to mask all digits.
Partial mask: show last 4: Only the last four characters are displayed, and the rest characters are displayed using x.
Partial mask: show first 4: Only the first four characters are displayed, and the rest characters are displayed using x.
Hash: Replace the original value with the hash value.
Nullify: Replace the original value with the NULL value.
Unmasked (retain original value): Keep the original value.
Custom: You customize policies using any valid return data type which is the same as the data type in the masked column.
To add a multi-column masking policy, click .
Click Add to view the basic information about the policy in the policy list.
After a user performs the select operation on a table for which a data masking policy has been configured on a HetuEngine client, the system processes the data and displays it.
HetuEngine Row-level Data Filtering¶
Ranger allows you to filter data at the row level when you perform the select operation on a HetuEngine data table.
Log in to the Ranger web UI. Click HetuEngine in the PRESTO area on the homepage.
On the Row Level Filter tab page, click Add New Policy to add a row data filtering policy.
Configure the parameters listed in the table below based on the service demands.
¶ Parameter
Description
Policy Name
Policy name, which can be customized and must be unique in the service.
Policy Conditions
IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (
*
), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.Policy Label
A label specified for the current policy. You can search for reports and filter policies based on labels.
Presto Catalog
Name of the catalog to which the current policy applies.
Presto Schema
Name of the database to which the current policy applies.
Presto Table
Name of the table to which the current policy applies.
Description
Policy description.
Audit Logging
Whether to audit the policy.
Row Filter Conditions
In the Select Role, Select Group, and Select User columns, select the object to which the permission is to be granted, click Add Conditions, add the IP address range to which the policy applies, then click Add Permissions, and select Select.
Click Row Level Filter and enter data filtering rules.
For example, if you want to filter the data in the zhangsan row in the name column of table A, the filtering rule is name <>'zhangsan'. For more information, see the official Ranger document.
To add more rules, click .
Click Add to view the basic information about the policy in the policy list.
After a user performs the select operation on a table for which a data masking policy has been configured on a HetuEngine client, the system processes the data and displays it.