Versions Compared

Old Version 4

changes.mady.by.user Gautam Borad

Saved on

compared with

New Version Current

changes.mady.by.user Gautam Borad

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

This Doc explains details about configuring Ranger Atlas Plugin along with a few recommendations.

...

Verification and preparation for plugin

...

  •  Log into Ranger Admin with a user having admin role.
  • Test the connectivity between Ranger Service and its target (Atlas) service.  This isn’t essential but it would ease the policy authoring process.
  • Ensure that you can see users and their group mappings in Ranger Admin.


Atlas Policy

Atlas policy Resource

 Atlas policies, like all ranger policies are specific to a resource.  Resource is the primary target of authorization.

...

  1. Atlas policy resource can have resource as : taxonomy, entity, type, operation and term.


  2. Each resource field can take in multiple values.

  3. Include/exclude flag is specified at this resource level, default is include.  By turning the flag to exclude inverts the resource definition.

    1. For example, if you have a resource setup as follows: Taxonomy=CompanyName, Term=Finance.  and Term level is set to Exclude, then it means that means the resource is effectively referring to all Terms of Taxonomy CompanyName except the Term Finance.
      Note: As part of 0.6 release, all resources of Atlas supports * for resources only. More granular level of access control is planned for next release.  

    2. Use excludes flag in resource definition when it makes simplifies the policy definition.  Indiscriminate use of include/exclude flag can make reasoning about authorization challenging.



  4. Auditing is specified at the resource level.

Policy Item(s)

 Each policy can have zero or multiple policy items.

...

  1. Atlas plugin support the following Permissions:

    1. Read

    2. Create

    3. Update

    4. Delete

    5. All

     

  2. A policy item can specify multiple permissions.

          Image Modified

 
Delegated administration

 

...

The Delegate Admin flag at policy item level can be used to delegate the administration responsibility for a policy to users or user-groups specified on that policy item.

...

 

  1. This is a handy way to free the corporate administrator from having to deal with low level administration details that are best left to department level super-users.
  2. If you check grant delegated admin flag at a policy level then those users and user-group members would be able to grant access privileges to other users at a resource level below the policies resource.
  3. This feature isn’t specific to Atlas but it is common to all plugins. 

Audit specification

...

The policy can specify if access to the policy resource should be audited or not.  Audit specification provides for aggregating the audit events such that similar events within a configurable timeframe would be logged as a single audit along with the total count.  This can be particularly useful when audit volume is high.

...