HDFS plugin

Apache Ranger configuration allows you to apply both Ranger policies and HDFS permissions. When a NameNode receives a user request, the Ranger plugin checks the policies set through the Ranger Service Manager, and if there are none, checks the permissions set in HDFS.

NOTE
It’s recommended to create permissions in Ranger Service Manager and have limited permissions at the HDFS level.

Enable plugin

To enable the Ranger ADPS plugin, follow the steps below.

  1. Go to the CLUSTERS → <your_ADH_cluster> → Services window.

    adh services
    Cluster services
  2. Click green arrow at HDFS and select the Manage Ranger Plugin action.

  3. Select the required state in checkbox (enabled or disabled).

    adh manage ranger plugin
    Plugin state

    If you choose the enable state, then a default policy will be applied to the Ranger for the HDFS plugin.

  4. Click Run.

Add a new policy to a service

To add a new policy to an existing HDFS service, you should perform the following actions:

  1. On the Service Manager page, click an existing service on the HDFS tab.

    ranger admin servman
    Service Manager
    ranger admin servman is dark
    Service Manager
  2. On the <HDFS_existing_service> page, click add new policy to add the new policy.

    ranger admin addnewpol
    Add new policy
    ranger admin addnewpol is dark
    Add new policy
  3. Go to <HDFS_existing_service> → Create Policy page and fill in the required fields.

    In the Policy Details section:

    • Policy Name — the policy name. This name cannot be duplicated across the system. This field is required.

    • Policy Label — provides the following features:

      • Allows to group the sets of policies with one or more labels.

      • Allows searching for policies by label names. You can use search on the Policy listing page and on the Report page.

      • Helps to export/import policies. If a user has to export some specific set of policies, then they can search for a policy label and export the specific set of policies.

    • Resource Path — defines the resource path for the policy folder/file. To avoid the need to specify the full path or include a policy for all subfolders or files, you can fill in this field using wildcards (for example, /home) or specify that the policy should be recursive.

      Wildcards can be included in the resource path, database name, table, or column: \* — indicates zero or more characters; ? — indicates one character.

    • Description — describe the purpose of the policy. This field is optional.

    • Audit Logging — click YES to enable audit for the policy.

    In the Allow Conditions section:

    • Select Role — specify the role to which this policy applies. A role is a collection of permissions. Roles present an easier way to manage a set of permissions based on specific access criteria.

    • Select Group — specify the groups to which this policy applies. To promote the user to Administrator, select the Delegate Admin checkbox. Administrators can edit or delete the policy and create child policies. The public group contains all users, so granting access to the public group grants access to all users.

    • Select User — specify a user to which this policy applies (outside an already-specified group) or make the user an Administrator for this policy. Administrators can create child policies based on existing policies.

    • Permissions — add or edit permissions.

    • Delegate Admin — use to grant administrator privileges to the users or groups specified in the policy.

    Click ranger grey plus to add additional conditions. Conditions take priority in the order listed in the policy. The condition at the top of the list is applied first, then the second, then the third, and so on.

  4. Click Add.

Found a mistake? Seleсt text and press Ctrl+Enter to report it