Manage policies in Ranger
Overview
There are two types of policies in Ranger — the resource-based and the tag-based ones. Resources are parts of services which you can manage access for (e.g. Hive column, Solr collection, etc.). A resource-based policy allows you to control access to resources for users, groups, and roles. To see a list of all available services for which you can view policies, go to the Resource Policies page. It represents a screen with services sorted into panes with corresponding names. To view a list of all resource-based policies for a service, click on its name.
A tag is a special service-type object like HDFS, HBase, etc. A tag-based policy allows you to control access to tags or classifications that are defined in a governance service like Apache Atlas. To see a list of all policies for a tag, head to the Tag Policies page and click on its name.
To see all the Ranger policies, go to the Reports page. This page allows you to filter the displayed policies and to export the search results as XLS, CSV, and JSON files.
All the further described actions are applicable to both resource-based and tag-based policies.
Add a policy
To add a policy for a service, please, see the Add a new policy in Ranger section in the article about a Ranger plugin for the corresponding service. A table with a service list for each product is provided below.
To add a policy for a tag, follow the steps below:
-
Go to the Tag Policies page and click on a tag you want to create a policy for.
Tag-based servicesTag-based services -
Click Add New Policy.
List of policies for a tagList of policies for a tag -
On the opened Create Policy page, fill in the necessary details and set up access conditions.
Tag policy detailsTag policy detailsPolicy details parameters Parameter Description Policy Name
The policy name. Must be unique across the system
Enabled
Indicates whether to enable the policy after creation
Normal/Override
Allows you to specify an override policy. When override state is selected, the access permissions of the new policy override the access permissions in existing policies
Policy Label
Allows grouping of sets of policies with one or more labels and searching for policies by label names. You can use search on the Tag Policies, Resource Policies, and Reports pages. Also helps to export/import policies. If a user has to export some specific set of policies, then they can search for a policy label and export the specific set of policies
TAG
A tag that data should have for this policy to be applied to it
Description
Describes the purpose of the policy
Audit Logging
Enables audit for the policy
Add Validity Period
Allows you to set the lifetime for the policy
-
Click Add at the bottom of the page. The created policy will appear in the policy list for the chosen tag.
View policy details
Go to the Policies screen by clicking a service/tag name. The screen contains a list of all the policies for the chosen service/tag. To quickly find the policy you want to examine, use the search filters.
Column | Description |
---|---|
Policy ID |
A policy identifier (unique Ranger-wise) |
Policy Name |
Name of the policy |
Policy Labels |
A custom policy label |
Status |
An activity status of the policy (enabled/disabled) |
Audit Logging |
An activity status for audit logging (enabled/disabled) |
Roles |
Roles affected by the policy |
Groups |
Groups affected by the policy |
Users |
Users affected by the policy |
Action |
To view information about an existing policy, click next to it.
Policy details and access conditions will be displayed in a pop-up window.
Edit a policy
To edit an existing policy, follow the steps below:
-
Click next to a policy or click its ID in the Policy ID column.
Editing a policyEditing a policy -
On the opened Edit Policy page, edit the necessary information.
-
Click Save at the bottom of the page.
Remove a policy
To remove an existing policy, follow the steps below:
-
Click next to a policy.
Removing a policyRemoving a policy -
Confirm the action by clicking OK in the pop-up window. The removed policy will disappear from the Policies screen.
Export policies
You can export all policies for a service/tag by clicking next to a service/tag name on the Service Manager screen.
In the pop-up window, select the services/tags which you want to export policies for and click Export. Policies will be exported as a single JSON file.
Another way is to head to the Reports page, filter out the necessary policies, click Export, and choose the preferred output format (XLS, CSV, or JSON).