Versions Compared

Old Version 4

changes.mady.by.user Abhay Kulkarni

Saved on

compared with

New Version Current

changes.mady.by.user Abhay Kulkarni

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

It is customary for large data centers to identify user-accessible data resources (HDFS files/directories, Hive databases/tables, etc.) encoded with the user-name or some other user-specific attribute value in their name. In such cases, Ranger administrator needs to author multiple policies addressing these distinct resource names. RANGER-698 proposes to provide a generic way to author ranger policies exploiting such relationships between resource-name, and access permissions for its users to achieve equivalent access control regime with a single policy or a small number of policies. In addition to adding clarity to the mapping of enterprise-wide high-level access-control regime to ranger policy specifications, fewer policies, in general, lead to significant improvement in capacity and performance in ranger administration as well as ranger-enabled components.

Use Cases

HDFS

Resource Names

...

There are multiple HDFS users, each with a 'home' directory under '/home' which is named by the user's name.

Access

...

Control Regime

...

A user can access all files only under their own 'home' directory.

...

In this way, this one policy can replace many ranger policies each with a different resource-specification and different user in its policy-item specification.

Hive

Resource Names

...

There are multiple databases within Data Center/Data Lake. Database names contain the user’s name, which has all access permissions to it. There may be thousands of hive users.

Access

...

Control Regime

...

A user can access only the database that is named with their name, and cannot access any other database unless it is a special user named 'hive'.

...