Ranger Privileges¶
Table of Contents
Introduction¶
This document details the required Ranger policies and permissions.
Cloudera Data Platform Private Cloud¶
Cloud Storage¶
Service |
Policy Name |
Resources |
Allow Conditions |
|
|---|---|---|---|---|
User |
Permissions |
|||
HDFS → cm_hdfs |
GDP - gluent |
Path (Recursive): |
gluent |
Read, Write, Execute |
HADOOP SQL → Hadoop SQL |
GDP - UDF Library |
URL: |
gluent |
All |
HADOOP SQL → Hadoop SQL |
GDP - DB URIs |
URL (Recursive): hdfs://NAMENODE_OR_NAMESERVICE_FQDN:PORT/
HDFS_LOAD |
gluent |
All |
HADOOP SQL → Hadoop SQL |
GDP - DBs |
DB:
*Table:
*Column:
* |
{OWNER} 1 |
All |
gluent 2 |
Create |
|||
HADOOP SQL → Hadoop SQL |
GDP - UDFs |
DB:
default 3UDF:
* |
gluent |
select, Create, Drop, Refresh |
- 1(1,2)
Use of {OWNER} gives the user who created the database full control of only their own databases. This permission is already present in a preloaded resource-based Ranger policy so this must be skipped if that Ranger policy is unmodified and active.
- 2
If the preloaded resource-based Ranger policy noted in 1 is unmodified and active, this permission must be added to that Ranger policy as it is not possible to have more than one Ranger policy covering the same resources.
- 3
By default UDFs are installed into the
defaultImpala database. This database can be changed by specifying the database name with theOFFLOAD_UDF_DBoption. IfOFFLOAD_UDF_DBis set, replacedefaultwith the chosen database.
HDFS Storage¶
Service |
Policy Name |
Resources |
Allow Conditions |
|
|---|---|---|---|---|
User |
Permissions |
|||
HDFS → cm_hdfs |
GDP - gluent |
gluent |
Read, Write, Execute |
|
HADOOP SQL → Hadoop SQL |
GDP - UDF Library |
URL: hdfs://NAMENODE_OR_NAMESERVICE_FQDN:PORT/ |
gluent |
All |
HADOOP SQL → Hadoop SQL |
GDP - DB URIs |
gluent |
All |
|
HADOOP SQL → Hadoop SQL |
GDP - DBs |
DB:
*Table:
*Column:
* |
{OWNER} 4 |
All |
gluent 5 |
Create |
|||
HADOOP SQL → Hadoop SQL |
GDP - UDFs |
DB:
default 6UDF:
* |
gluent |
select, Create, Drop, Refresh |
- 4(1,2)
Use of {OWNER} gives the user who created the database full control of only their own databases. This permission is already present in a preloaded resource-based Ranger policy so this must be skipped if that Ranger policy is unmodified and active.
- 5
If the preloaded resource-based Ranger policy noted in 4 is unmodified and active, this permission must be added to that Ranger policy as it is not possible to have more than one Ranger policy covering the same resources.
- 6
By default UDFs are installed into the
defaultImpala database. This database can be changed by specifying the database name with theOFFLOAD_UDF_DBoption. IfOFFLOAD_UDF_DBis set, replacedefaultwith the chosen database.
Cloudera Data Platform Public Cloud¶
Service |
Policy Name |
Resources |
Allow Conditions |
|
|---|---|---|---|---|
User |
Permissions |
|||
HDFS → cm_hdfs |
GDP - gluent |
Path (Recursive): |
gluent |
Read, Write, Execute |
HADOOP SQL → Hadoop SQL |
GDP - UDF Library |
URL: |
gluent |
All |
HADOOP SQL → Hadoop SQL |
GDP - DB URIs |
URL (Recursive): hdfs://NAMENODE_OR_NAMESERVICE_FQDN:PORT/
HDFS_LOAD |
gluent |
All |
HADOOP SQL → Hadoop SQL |
GDP - DBs |
DB:
*Table:
*Column:
* |
{OWNER} 7 |
All |
gluent 8 |
Create |
|||
HADOOP SQL → Hadoop SQL |
GDP - UDFs |
DB:
default 9UDF:
* |
gluent |
select, Create, Drop, Refresh |
- 7(1,2)
Use of {OWNER} gives the user who created the database full control of only their own databases. This permission is already present in a preloaded resource-based Ranger policy so this must be skipped if that Ranger policy is unmodified and active.
- 8
If the preloaded resource-based Ranger policy noted in 7 is unmodified and active, this permission must be added to that Ranger policy as it is not possible to have more than one Ranger policy covering the same resources.
- 9
By default UDFs are installed into the
defaultImpala database. This database can be changed by specifying the database name with theOFFLOAD_UDF_DBoption. IfOFFLOAD_UDF_DBis set, replacedefaultwith the chosen database.