THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Introduction
This Doc explains details about configuring Ranger Atlas Plugin along with a few recommendations.
Atlas is a scalable and extensible set of core foundational governance services – enabling enterprises to effectively and efficiently meet their compliance requirements within Hadoop and allows integration with the whole enterprise data ecosystem.
Prerequisites
Installation
- Install, configure and start Ranger Admin.
- Install, configure and start Ranger UserSync.
- In Ranger Admin, create a service for each Hadoop service that will have Ranger authorization - e.g. HDFS, Hive, HBase, ..
- Install Ranger plugin on the target Hadoop service, e.g. Hive, HBase, HDFS, Atlas etc. and restart the service.
If you are unsure about how to do the above then please refer to the following:
Verification and preparation for plugin
This document assumes that you have successfully performed the above steps. In addition, please ensure that you have done the following:
- Log into Ranger Admin with a user having admin role.
- Test the connectivity between Ranger Service and its target (Atlas) service. This isn’t essential but it would ease the policy authoring process.
- Ensure that you can see users and their group mappings in Ranger Admin.
Atlas Policy
Atlas policy Resource
Atlas policies, like all ranger policies are specific to a resource. Resource is the primary target of authorization.
For Atlas Authorization, the REST API level authorization has been implemented, and user can easily verify the authorization by logging into the Atlas UI using a granted user’s credentials and by searching for Tags and Entities.
- Atlas policy resource can have resource as : taxonomy, entity, type, operation and term.
Each resource field can take in multiple values.
- Include/exclude flag is specified at this resource level, default is include. By turning the flag to exclude inverts the resource definition.
For example, if you have a resource setup as follows: Taxonomy=CompanyName, Term=Finance. and Term level is set to Exclude, then it means that means the resource is effectively referring to all Terms of Taxonomy CompanyName except the Term Finance.
Note: As part of 0.6 release, all resources of Atlas supports * for resources only. More granular level of access control is planned for next release.Use excludes flag in resource definition when it makes simplifies the policy definition. Indiscriminate use of include/exclude flag can make reasoning about authorization challenging.
- Auditing is specified at the resource level.
Policy Item(s)
Each policy can have zero or multiple policy items.
- Policy item specify which sets of users or user-groups are allowed to perform what sort of operations on the policy resource.
Atlas Access Permissions
Atlas plugin support the following Permissions:
Read
Create
Update
Delete
All
A policy item can specify multiple permissions.
Delegated administration
The Delegate Admin flag at policy item level can be used to delegate the administration responsibility for a policy to users or user-groups specified on that policy item.
- This is a handy way to free the corporate administrator from having to deal with low level administration details that are best left to department level super-users.
- If you check grant delegated admin flag at a policy level then those users and user-group members would be able to grant access privileges to other users at a resource level below the policies resource.
- This feature isn’t specific to Atlas but it is common to all plugins.
Audit specification
The policy can specify if access to the policy resource should be audited or not. Audit specification provides for aggregating the audit events such that similar events within a configurable timeframe would be logged as a single audit along with the total count. This can be particularly useful when audit volume is high.