Manage policies in Ranger

Overview

There are two types of policies in Ranger — the resource-based and the tag-based ones. Resources are parts of services which you can manage access for (e.g. Hive column, Solr collection, etc.). A resource-based policy allows you to control access to resources for users, groups, and roles. To see a list of all available services for which you can view policies, go to the Resource Policies page. It represents a screen with services sorted into panes with corresponding names. To view a list of all resource-based policies for a service, click on its name.

Resource-based policies
Resource-based services
Resource-based policies
Resource-based services

A tag is a special service-type object like HDFS, HBase, etc. A tag-based policy allows you to control access to tags or classifications that are defined in a governance service like Apache Atlas. To see a list of all policies for a tag, head to the Tag Policies page and click on its name.

Tag-based services
Tag-based services
Tag-based services
Tag-based services

To see all the Ranger policies, go to the Reports page. This page allows you to filter the displayed policies and to export the search results as XLS, CSV, and JSON files.

Reports page
Reports page
Reports page
Reports page

All the further described actions are applicable to both resource-based and tag-based policies.

Add a policy

To add a policy for a service, please, see the Add a new policy in Ranger section in the article about a Ranger plugin for the corresponding service. A table with a service list for each product is provided below.

To add a policy for a tag, follow the steps below:

  1. Go to the Tag Policies page and click on a tag you want to create a policy for.

    Tag-based services
    Tag-based services
    Tag-based services
    Tag-based services
  2. Click Add New Policy.

    List of policies for a tag
    List of policies for a tag
    List of policies for a tag
    List of policies for a tag
  3. On the opened Create Policy page, fill in the necessary details and set up access conditions.

    Tag policy details
    Tag policy details
    Tag policy details
    Tag policy details
    Policy details parameters
    Parameter Description

    Policy Name

    The policy name. Must be unique across the system

    Enabled

    Indicates whether to enable the policy after creation

    Normal/Override

    Allows you to specify an override policy. When override state is selected, the access permissions of the new policy override the access permissions in existing policies

    Policy Label

    Allows grouping of sets of policies with one or more labels and searching for policies by label names. You can use search on the Tag Policies, Resource Policies, and Reports pages. Also helps to export/import policies. If a user has to export some specific set of policies, then they can search for a policy label and export the specific set of policies

    TAG

    A tag that data should have for this policy to be applied to it

    Description

    Describes the purpose of the policy

    Audit Logging

    Enables audit for the policy

    Add Validity Period

    Allows you to set the lifetime for the policy

  4. Click Add at the bottom of the page. The created policy will appear in the policy list for the chosen tag.

View policy details

Go to the Policies screen by clicking a service/tag name. The screen contains a list of all the policies for the chosen service/tag. To quickly find the policy you want to examine, use the search filters.

Policy list
Policy list
Policy list
Policy list
Policies screen columns
Column Description

Policy ID

A policy identifier (unique Ranger-wise)

Policy Name

Name of the policy

Policy Labels

A custom policy label

Status

An activity status of the policy (enabled/disabled)

Audit Logging

An activity status for audit logging (enabled/disabled)

Roles

Roles affected by the policy

Groups

Groups affected by the policy

Users

Users affected by the policy

Action

Actions that can be performed (view, edit, remove)

To view information about an existing policy, click ranger view service btn next to it.

Viewing policy details
Viewing policy details
Viewing policy details
Viewing policy details

Policy details and access conditions will be displayed in a pop-up window.

Edit a policy

To edit an existing policy, follow the steps below:

  1. Click ranger edit service btn next to a policy or click its ID in the Policy ID column.

    Editing a policy
    Editing a policy
    Editing a policy
    Editing a policy
  2. On the opened Edit Policy page, edit the necessary information.

  3. Click Save at the bottom of the page.

Remove a policy

To remove an existing policy, follow the steps below:

  1. Click ranger delete service btn next to a policy.

    Removing a policy
    Removing a policy
    Removing a policy
    Removing a policy
  2. Confirm the action by clicking OK in the pop-up window. The removed policy will disappear from the Policies screen.

Export policies

You can export all policies for a service/tag by clicking ranger export policy next to a service/tag name on the Service Manager screen.

Exporting policies
Exporting policies
Exporting policies
Exporting policies

In the pop-up window, select the services/tags which you want to export policies for and click Export. Policies will be exported as a single JSON file.

Choosing service instances
Choosing service instances
Choosing service instances
Choosing service instances

Another way is to head to the Reports page, filter out the necessary policies, click Export, and choose the preferred output format (XLS, CSV, or JSON).

Import a policy

You can import a policy for a service by clicking ranger import policy next to a service name on the Service Manager screen.

Importing a policy
Importing a policy
Importing a policy
Importing a policy

In the pop-up window, select a file that contains a policy in JSON format and click Import.

Selecting a file
Selecting a file
Selecting a file
Selecting a file

Label a policy

Policies can be labeled to ease their filtering. You can label a policy while creating it or during editing — just fill the Policy Label field.

Policy details
Policy details
Policy details
Policy details
Found a mistake? Seleсt text and press Ctrl+Enter to report it