Configuring Component Permission Policies

In the newly installed MRS cluster, Ranger is installed by default, with the Ranger authentication model enabled. The system administrator can set fine-grained security policies for accessing component resources through the component permission plug-ins.

Currently, the following components in a cluster in security mode support Ranger: HDFS, Yarn, HBase, Hive, Spark2x, Kafka, HetuEngine.

Configuring User Permission Policies Using Ranger

  1. Log in to the Ranger management page as the system administrator.

  2. In the Service Manager area on the Ranger homepage, click the permission plug-in name of a component. The page for security access policy list of the component is displayed.

    Note

    In the policy list of each component, many items are generated by default to ensure the permissions of some default users or user groups (such as the supergroup user group). Do not delete these items. Otherwise, the permissions of the default users or user groups are affected.

  3. Click Add New Policy and configure resource access policies for related users or user groups based on the service scenario plan.

    The following policies are examples for different components:

    After the policies are added, wait for about 30 seconds for them to take effect.

    Note

    Each time a component is started, the system checks whether the default Ranger service of the component exists. If the service does not exist, the system creates the Ranger service and adds a default policy for it. If a service is deleted by mistake, you can restart or restart the corresponding component service in rolling mode to restore the service. If the default policy is deleted by mistake, you can manually delete the service and then restart the component service.

  4. Choose Access Manager > Reports to view all security access policies of each component.

    If there are many system policies, filter and search for policies by the policy name, policy type, component, resource, policy label, security zone, user, or user group. Alternatively, click Export to export related policies.

    image1

    Note

    • Generally, only one policy can be configured for a fixed resource object. If multiple policies are configured for the same resource object, the policies cannot be saved.

    • For details about the priorities of different policies, see Condition Priorities of the Ranger Permission Policy.

Condition Priorities of the Ranger Permission Policy

When configuring a permission policy for a resource, you can configure Allow Conditions, Exclude from Allow Conditions, Deny Conditions, and Exclude from Deny Conditions for the resource, to meet unexpected requirements in different scenarios.

The priorities of different conditions are listed in descending order: Exclude from Deny Conditions > Deny Conditions > Exclude from Allow Conditions > Allow Conditions

The following figure shows the process of determining condition priorities. If the component resource request does not match the permission policy in Ranger, the system rejects the access by default. However, for HDFS and Yarn, the system delivers the decision to the access control layer of the component for determination.

image2

For example, if you want to grant the read and write permissions of the FileA folder to the groupA user group, but the user in the group is not UserA, you can add an allowed condition and an exception condition.