...
Label | Description |
Policy name | Enter an appropriate policy name. This name is cannot be duplicated across the system. |
Knox topology | Enter an appropriate Topology Name |
Knox service | Enter an appropriate Service Name |
Audit Logging | Choose whether the particular policy will be audited or not. |
User permissions | From a user list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the user as admin for the chosen resource |
Group permissions | From a user group list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the group as admin for chosen resource |
Enable/disable | By default the policy is enabled.You can disable a policy to restrict user/group access for that policy. |
Include/Exclude | The include flag means it will consider the values entered in the field.The default value is set as include.The exclude Flag will exclude all the table names or column names entered in that particular field. |
Note |
---|
Wildcards: Wildcards can be included in resource path.’*’ indicates zero or more occurs of characters.’?‘ indicates single character.You can use wildcards in the topology name,service name.for e.g topology name as *, service name as ?. |
Permission | Description |
IP Address Range | Specify ip address range |
Allow | Allow permission allows users to access topology that is specified in topology name |
Edit/Delete Knox policies
...
You can edit/delete a policy from the KNOX Policy Listing page by clicking on the edit/delete button next to policy row.
STORM
Adding STORM Policies
...
Label | Description |
Policy name | Enter an appropriate policy name. This name is cannot be duplicated across the system. |
Storm topology | Enter an appropriate Topology Name |
Audit logging | Choose whether the particular policy will be audited or not. |
Group permission | From a user group list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the group as admin for chosen resource |
User permission | From a user list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the user as admin for the chosen resource |
Enable/disable | By default the policy is enabled.You can disable a policy to restrict user/group access for that policy. |
Include/Exclude | The include flag means it will consider the values entered in the field.The default value is set as include.The exclude Flag will exclude all the table names or column names entered in that particular field. |
Note |
---|
Wildcards: Wildcards can be included in resource path.’*’ indicates zero or more occurs of characters.’?‘ indicates single character.You can use wildcards in the topology name.for e.g topology name as ?. |
Permission | Description |
Submit Topology | Allows user to submit a topology |
File upload | Allows user to upload files |
Get Nimbus Conf | Allows user to access Nimbus Configuration |
Get Cluster info | Allows user to get Cluster Information |
File Download | Allows user to Download Files |
Kill Topology | Allows user to kill topology |
Rebalance | Allows user to Rebalance topologies |
Activate | Allows user to Activate topology |
Deactivate | Allows user to Deactivate topology |
Get Topology Conf | Allows user to access Topology Configuration |
Get Topology | Allows user to access Topology |
Get User Topology | Allows user to access user Topology |
Get Topology Info | Allows user to access Topology Information |
Upload New Credential | Allows user to upload new credential |
...
Step 1 : Click on the Add New Policy button on listing page
Step 2 : Add YARN Policy
...
Label | Description |
Policy Name | Enter an appropriate policy name. This name is cannot be duplicated across the system. |
Queue | The fundamental unit of scheduling in yarn |
Audit Logging | Choose whether the particular policy will be audited or not. |
Enable/disable | By default the policy is enabled.You can disable a policy to restrict user/group access for that policy. |
Recursive | You can indicate whether all files or folders within the existing folder comes under the policy.Can be used instead of wildcard characters |
User Permission | From a user list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the user as admin for the chosen resource |
Group Permission | From a user group list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the group as admin for chosen resource |
Note |
---|
Wildcards: Wildcards can be included in resource path.’*’ indicates zero or more occurs of characters.’?‘ indicates single character.You can use wildcards in the topology name.for e.g topology name as ?. |
Permission | Description |
Submit-job | Allows user to submit a job on a defined queue |
Admin-queue | Allows user to manage admin queue |
Edit/Delete YARN policies
- You can edit/delete a policy from the YARN Policy Listing page by clicking on the edit/delete button next to policy row.
SOLR
Adding SOLR Policies
You can add a new policy from the STORM Policy Listing Page. On add , the policy should be listed in the table below. You can search a Policy by Collection,Group name,Policy name,status,user name.
Step 1 : Click on the Add New Policy button on listing page
Step 2 : Add SOLR policy
...
Label | Description |
Policy Name | Enter an appropriate policy name. This name is cannot be duplicated across the system |
Solr connection | http:<host_ip>:6083/solr |
Audit logging | Choose whether the particular policy will be audited or not. |
Group permission | From a user group list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the group as admin for chosen resource |
User Permission | From a user list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the user as admin for the chosen resource |
Enabled/disabled | By default the policy is enabled.You can disable a policy to restrict user/group access for that policy. |
Include/Exclude | The include flag means it will consider the values entered in the field.The default value is set as include.The exclude Flag will exclude all the table names or column names entered in that particular field. |
Permission | Description |
Querry | Permission to fetch records from Solr DB. |
Update | Permission to update records in Solr |
Others | |
Solr Admin | Permission to manage user accounts and |
Edit / Delete SOLR Policies
You can edit/delete a policy from the SOLR Policy Listing page by clicking on the edit/delete button next to policy row.
...
Step 1 : Click on the Add New Policy button on listing page
Step 2 : Add KAFKA Policy
Label | Description |
Policy name | Enter an appropriate policy name. This name is cannot be duplicated across the system |
Topic | A topic is a category or feed name to which messages are published. |
Audit logging | Choose whether the particular policy will be audited or not. |
User permission | From a user list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the user as admin for the chosen resource |
Group permission | From a user group list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the group as admin for chosen resource |
Enable/Disable | By default the policy is enabled.You can disable a policy to restrict user/group access for that policy. |
Include/Exclude | The include flag means it will consider the values entered in the field.The default value is set as include.The exclude Flag will exclude all the table names or column names entered in that particular file |
Note |
---|
Wildcards: Wildcards can be included in resource path.’*’ indicates zero or more occurs of characters.’?‘ indicates single character.You can use wildcards in the topology name.for e.g topology name as ?. |
...
Step 2 : Enter the details and save.
...
Label | Description |
User Name | Enter an appropriate user name. This name cannot be duplicated across the system. |
New Password | Enter an appropriate password. |
Password Confirm | Confirm the entered password |
First Name | Enter an appropriate first name. |
Last Name | Enter an appropriate last name |
Email address | Enter an appropriate first email address in the required format |
Select Role | Enter an appropriate Role. |
Group | Select a role from the given roles ‘Admin’ , ‘Users’.This is a mandatory field |
...
Step 5 : Set status of the user.
- If the status of the user is enable then that user can login to the application.If user status is disable then that particular user is not able to login to the application.
Edit Users
- We can edit only internal users.For the external users,only the role can be changed.
Admin Login:
- You can edit a user from the users Listing page by clicking on the user name.
User Login:
- You can edit a user from the users Listing page by clicking on profile.
Groups
- Ranger allows assigning permissions at group level too.
...
Step 2 : Enter the details and save.
...
Label | Description |
Group Name | Enter an appropriate user name. This name cannot be duplicated across the system.This is a mandatory field. |
Description | Give any description for reference. |
...
Edit Groups
- You can edit a group from the groups Listing page by clicking on the name of the group.(Can only be performed by an admin)
- Visibility of Groups
- Hidden group does not appears in group listing page.To make the group hide select the check box near group group name.
Reports
- The Reports module is used to manage the policies more efficiently as the number of policies grow.This page will list all the policies from HDFS,HIVE,HBASE,KNOX,YARN,KAFKA,SOLR and STORM. You can perform search based on
- Policy Name : The policy name assigned to the policy while creating it.
- Resource Path : The resource path used while creating the policy.
- ‘Group’ / ‘User Name’: The group and the users to which the policy is assigned
...
- This module Contains all events for the HDP Security Administration Web UI, including Service, Policy Manager, Log in, etc. (actions like create,update,delete,password change).You can filter the data based on the following
Search Criteria | Description |
Action | These are operations performed on resources e.g(actions like create,update,delete,password change) |
Audit Type | There are three values Resource,asset and xa user according to operations performed on Service,policy and users. |
Session id | The session count increments each time you try to login to the system |
Start Date | Login time and date is stored for each session.A date range is used to filter the results for that particular date range |
User | Username who has performed create,update,delete operation. |
...
- Difference view when we click on an operation (Update operation in this case)
Logging Session
This module logs the information related to the sessions for each login.You can filter the data based on
...
Search Criteria | Description |
End Date,Start Date | Login time and date is stored for each session.A date range is used to filter the results for that particular date range |
Ip | The IP of the system through which we log in |
Login id | The user name through which you login to the system |
Login Type | The mode through which the user tries to login.(By entering username and password) |
Result | Result based on login pass or fail |
Session id | The session count increments each time you try to login to the system |
User Agent | Login time and date is stored for each session |
Click on session id for session details.
Plugins
- This module shows the upload history of the Security Agents.This module displays all the services Exported from the system.You can filter the data based on the followin.
Search Criteria | Description |
Http Response Code | The http code which you get when you try to export the Services |
Plugin IP | Ip of the agent which tries to export the service |
Plugin Id | Name of the agent which tries to export the service |
Start Date,End Date | Export time and date is stored for each agent. A date range is used to filter the results for that particular date range. |
Service Name | The service name we are trying to export. |
- Plugins tab is useful to check components are communicating successfully with ranger or not.
Permissions
Permissions Module
The aim of permission module is to provide flexibility of user roles.With the help of permission model, Admin can restrict access or assign permission to any module for non-admin users.The main purpose of Permission model is to assign dedicated roles to non-admin users based on services such as policy manager, audit, reporting, user management,Key Manager.
Step 1: Put the pointer on Settings tab. Click on ‘Permissions’ from dropdown.
...
Step 2 : You can search the permissions by Group Name,Module Name,User Name.
Add / Edit Permission
Step 3 : Click on edit button under Action column for access of particular module to selected user on permissions listing page.
...
Step 4 : You can select multiple users and groups from drop down.
a. User Permission
b. Group Permission
Step 5 : If Steve user is having permission of only Audit and Reports tab then only this two module will be visible to to mark user on his login.
a. Admin Login
b. Steve user Login