Home
Arenadata Platform Security
How to
Ranger
Ranger Admin UI
Access Manager
Manage policies

Manage policies in Ranger

Sergei Tikhomirov

Contents

Overview
Add a policy
View policy details
Edit a policy
Remove a policy
Export policies
Import a policy
Label a policy

Overview

There are two types of policies in Ranger — the resource-based and the tag-based ones. Resources are parts of services which you can manage access for (e.g. Hive column, Solr collection, etc.). A resource-based policy allows you to control access to resources for users, groups, and roles. To see a list of all available services for which you can view policies, go to the Access Manager → Resource Based Policies page. It represents a screen with services sorted into panes with corresponding names. To view a list of all resource-based policies for a service, click on its name.

Resource-based services

A tag is a special service-type object like HDFS, HBase, etc. A tag-based policy allows you to control access to tags or classifications that are defined in a governance service like Apache Atlas. To see a list of all policies for a tag, head to the Access Manager → Tag Based Policies page and click on its name.

Tag-based services

To see all the Ranger policies, go to the Access Manager → Reports page. This page allows you to filter the displayed policies and to export the search results as XLS, CSV, and JSON files.

Reports page

All the further described actions are applicable to both resource-based and tag-based policies.

Add a policy

To add a policy for a service, please, see the Add a new policy in Ranger section in the article about a Ranger plugin for the corresponding service. A table with a service list for each product is provided below.

ADH
ADS
ADPS

Kafka
NiFi

Knox
Solr

To add a policy for a tag, follow the steps below:

Go to the Access Manager → Tag Based Policies page and click on a tag you want to create a policy for.

Tag-based services

Tag-based services
Click Add New Policy.

List of policies for a tag

List of policies for a tag

On the opened Create Policy page, fill in the necessary details and set up access conditions.

Tag policy details

Policy details parameters
Parameter	Description
Policy Name	The policy name. Must be unique across the system
Enabled	Indicates whether to enable the policy after creation
Normal/Override	Allows you to specify an override policy. When *override* state is selected, the access permissions of the new policy override the access permissions in existing policies
Policy Label	Allows grouping of sets of policies with one or more labels and searching for policies by label names. You can use search on the *Tag Based Policies, Resource Based Policies, and Reports* pages. Also helps to export/import policies. If a user has to export some specific set of policies, then they can search for a policy label and export the specific set of policies
TAG	A tag that data should have for this policy to be applied to it
Description	Describes the purpose of the policy
Audit Logging	Enables audit for the policy
Add Validity Period	Allows you to set the lifetime for the policy

Click Add at the bottom of the page. The created policy will appear in the policy list for the chosen tag.

View policy details

Go to the Policies screen by clicking a service/tag name. The screen contains a list of all the policies for the chosen service/tag. To quickly find the policy you want to examine, use the search filters.

Policy list

Policies screen columns

Column

Description

Policy ID

A policy identifier (unique Ranger-wise)

Policy Name

Name of the policy

Policy Labels

A custom policy label

Status

An activity status of the policy (enabled/disabled)

Audit Logging

An activity status for audit logging (enabled/disabled)

Roles

Roles affected by the policy

Groups

Groups affected by the policy

Users

Users affected by the policy

Action

Actions that can be performed (view, edit, remove)

To view information about an existing policy, click ranger view service btn next to it.

Viewing policy details

Policy details and access conditions will be displayed in a pop-up window.

Edit a policy

To edit an existing policy, follow the steps below:

Click next to a policy or click its ID in the Policy ID column.

Editing a policy

Editing a policy
On the opened Edit Policy page, edit the necessary information.
Click Save at the bottom of the page.

Remove a policy

To remove an existing policy, follow the steps below:

Click next to a policy.

Removing a policy

Removing a policy
Confirm the action by clicking OK in the pop-up window. The removed policy will disappear from the Policies screen.

Export policies

You can export all policies for a service/tag by clicking ranger export policy next to a service/tag name on the Service Manager screen.

Exporting policies

In the pop-up window, select the services/tags which you want to export policies for and click Export. Policies will be exported as a single JSON file.

Choosing service instances

Another way is to head to the Access Manager → Reports page, filter out the necessary policies, click Export, and choose the preferred output format (XLS, CSV, or JSON).