...
It is customary for large data centers to identify user-accessible data resources (HDFS files/directories, Hive databases/tables, etc.) encoded with the user-name or some other user-specific attribute value in their name. In such cases, Ranger administrator needs to author multiple policies addressing these distinct resource names. RANGER-698 proposes to provide a generic way to author ranger policies exploiting such relationships between resource-name, and access permissions for its users to achieve equivalent access control regime with a single policy or a small number of policies. In addition to adding clarity to the mapping of enterprise-wide high-level access-control regime to ranger policy specifications, fewer policies, in general, lead to significant improvement in capacity and performance in ranger administration as well as ranger-enabled components.
Use Cases
HDFS
Resource Names
...
There are multiple HDFS users, each with a 'home' directory under '/home' which is named by the user's name.
Access
...
Control Regime
...
A user can access all files only under their own 'home' directory.
...
In this way, this one policy can replace many ranger policies each with a different resource-specification and different user in its policy-item specification.
Hive
Resource Names
...
There are multiple databases within Data Center/Data Lake. Database names contain the user’s name, which has all access permissions to it. There may be thousands of hive users.
Access
...
Control Regime
...
A user can access only the database that is named with their name, and cannot access any other database unless it is a special user named 'hive'.
...