Ranger Privileges¶

Table of Contents

Introduction
Cloudera Data Platform Private Cloud
Cloudera Data Platform Public Cloud
Documentation Feedback

Introduction ¶

This document details the required Ranger policies and permissions.

The tables in this document illustrate permissions granted directly to the Gluent Data Platform OS user (assumed to be gluent for the remainder of this document) but they can also be granted to any OS group of which the user is a member.

Cloudera Data Platform Private Cloud ¶

Cloud Storage¶

Service	Policy Name	Resources	Allow Conditions
Service	Policy Name	Resources	User	Permissions
HDFS → cm_hdfs	GDP - gluent	Path (Recursive): `HDFS_LOAD`	gluent	Read, Write, Execute
HADOOP SQL → Hadoop SQL	GDP - UDF Library	URL: `OFFLOAD_FS_SCHEME`://`OFFLOAD_FS_CONTAINER`/`OFFLOAD_FS_PREFIX`/`to_internal.so`	gluent	All
HADOOP SQL → Hadoop SQL	GDP - DB URIs	URL (Recursive): `OFFLOAD_FS_SCHEME`://`OFFLOAD_FS_CONTAINER`/`OFFLOAD_FS_PREFIX` URL (Recursive): hdfs://NAMENODE_OR_NAMESERVICE_FQDN:PORT/`HDFS_LOAD`	gluent	All
HADOOP SQL → Hadoop SQL	GDP - DBs	DB: `` Table: `` Column: `*`	{OWNER} 1	All
HADOOP SQL → Hadoop SQL	GDP - DBs	DB: `` Table: `` Column: `*`	gluent 2	Create
HADOOP SQL → Hadoop SQL	GDP - UDFs	DB: `default` 3 UDF: `*`	gluent	select, Create, Drop, Refresh

1(1,2): Use of {OWNER} gives the user who created the database full control of only their own databases. This permission is already present in a preloaded resource-based Ranger policy so this must be skipped if that Ranger policy is unmodified and active.
2: If the preloaded resource-based Ranger policy noted in 1 is unmodified and active, this permission must be added to that Ranger policy as it is not possible to have more than one Ranger policy covering the same resources.
3: By default UDFs are installed into the default Impala database. This database can be changed by specifying the database name with the OFFLOAD_UDF_DB option. If OFFLOAD_UDF_DB is set, replace default with the chosen database.

HDFS Storage¶

Service	Policy Name	Resources	Allow Conditions
Service	Policy Name	Resources	User	Permissions
HDFS → cm_hdfs	GDP - gluent	Path (Recursive): `HDFS_DATA` Path (Recursive): `HDFS_HOME` Path (Recursive): `HDFS_LOAD`	gluent	Read, Write, Execute
HADOOP SQL → Hadoop SQL	GDP - UDF Library	URL: hdfs://NAMENODE_OR_NAMESERVICE_FQDN:PORT/`HDFS_HOME`/`to_internal.so`	gluent	All
HADOOP SQL → Hadoop SQL	GDP - DB URIs	URL (Recursive): hdfs://NAMENODE_OR_NAMESERVICE_FQDN:PORT/`HDFS_DATA` URL (Recursive): hdfs://NAMENODE_OR_NAMESERVICE_FQDN:PORT/`HDFS_LOAD`	gluent	All
HADOOP SQL → Hadoop SQL	GDP - DBs	DB: `` Table: `` Column: `*`	{OWNER} 4	All
HADOOP SQL → Hadoop SQL	GDP - DBs	DB: `` Table: `` Column: `*`	gluent 5	Create
HADOOP SQL → Hadoop SQL	GDP - UDFs	DB: `default` 6 UDF: `*`	gluent	select, Create, Drop, Refresh

4(1,2): Use of {OWNER} gives the user who created the database full control of only their own databases. This permission is already present in a preloaded resource-based Ranger policy so this must be skipped if that Ranger policy is unmodified and active.
5: If the preloaded resource-based Ranger policy noted in 4 is unmodified and active, this permission must be added to that Ranger policy as it is not possible to have more than one Ranger policy covering the same resources.
6: By default UDFs are installed into the default Impala database. This database can be changed by specifying the database name with the OFFLOAD_UDF_DB option. If OFFLOAD_UDF_DB is set, replace default with the chosen database.

Cloudera Data Platform Public Cloud ¶

Service	Policy Name	Resources	Allow Conditions
Service	Policy Name	Resources	User	Permissions
HDFS → cm_hdfs	GDP - gluent	Path (Recursive): `HDFS_LOAD`	gluent	Read, Write, Execute
HADOOP SQL → Hadoop SQL	GDP - UDF Library	URL: `OFFLOAD_FS_SCHEME`://`OFFLOAD_FS_CONTAINER`/`OFFLOAD_FS_PREFIX`/`to_internal.so`	gluent	All
HADOOP SQL → Hadoop SQL	GDP - DB URIs	URL (Recursive): `OFFLOAD_FS_SCHEME`://`OFFLOAD_FS_CONTAINER`/`OFFLOAD_FS_PREFIX` URL (Recursive): hdfs://NAMENODE_OR_NAMESERVICE_FQDN:PORT/`HDFS_LOAD`	gluent	All
HADOOP SQL → Hadoop SQL	GDP - DBs	DB: `` Table: `` Column: `*`	{OWNER} 7	All
HADOOP SQL → Hadoop SQL	GDP - DBs	DB: `` Table: `` Column: `*`	gluent 8	Create
HADOOP SQL → Hadoop SQL	GDP - UDFs	DB: `default` 9 UDF: `*`	gluent	select, Create, Drop, Refresh

7(1,2): Use of {OWNER} gives the user who created the database full control of only their own databases. This permission is already present in a preloaded resource-based Ranger policy so this must be skipped if that Ranger policy is unmodified and active.
8: If the preloaded resource-based Ranger policy noted in 7 is unmodified and active, this permission must be added to that Ranger policy as it is not possible to have more than one Ranger policy covering the same resources.
9: By default UDFs are installed into the default Impala database. This database can be changed by specifying the database name with the OFFLOAD_UDF_DB option. If OFFLOAD_UDF_DB is set, replace default with the chosen database.

Documentation Feedback ¶

Send feedback on this documentation to: feedback@gluent.com

Ranger Privileges¶

Introduction¶

Cloudera Data Platform Private Cloud¶