Tag-based services and strategies
Ranger allows you to create tag-based services and add access policies to these services.
Add a tag-based service
How to add tag-based services to Ranger.
For this task,
you can use Service Manager for Tag-Based Policies to create tag-based services and add tag-based access policies that can be applied to Hadoop resources. Using tag-based policies can control access to resources across multiple Hadoop components without the need to create separate services and policies in each component. You can also use Ranger TagSync to synchronize Ranger tag storage with external metadata services (such as Apache Atlas).
process
-
Select Access Manager Tag-based Policy>, and then click the add icon ()
in the tag box on the "Service Manager" page.
-
On the "Create Service" page, enter the service name and optional description. The service is enabled by default, but you can disable it by selecting "Disable". To add a service, click "Add".
3. The new label service will appear in the service manager page to
add a policy based基于标记的策略使您能够控制跨多个Hadoop组件对资源的访问,而无需在每个组件中创建单独的服务和策略。您还可以使用Ranger TagSync将Ranger标记存储与外部元数据服务(如Apache Atlas)进行同步。
process
-
Select Access Manager>Tag-Based Policy, and then select Tag-Based Service.
-
On the Policy List page, click Add New Policy.
The system displays the "Create Policy" page:
3. Enter the following information in the "Create Strategy" page:
Table 1: Strategy details
| Field | description |
|---|---|
| Policy Type | The default is Access. |
| Policy Name | Enter a unique policy name. This name cannot be repeated in the system. This field is required. |
| normal/override | Allows you to specify the coverage strategy. When "Overwrite" is selected, the access rights in the policy will overwrite the access rights in the existing policy. This feature can be used together with "Add Validity Period" to create temporary access policies that override existing policies. |
| TAG | Enter the applicable label name. |
| Description | (Optional) Describe the purpose of the current strategy. |
| Audit Logging | Specify whether to audit this policy. (Deselect to disable auditing). |
| Policy Label | Assign a label to the policy. You can search reports and filter strategies based on these tags. |
| Add Validity Period | Specify the start and end time of the strategy. |
| Policy Conditions (applied at the policy level) | Click the + icon to add a policy condition. Currently "Access after expiration date?" "(Yes/No)" is the only policy condition available. Visit after expiry_date (yes/no)?: To set this condition, enter yes in the text box, and then click the check mark button to add the condition. Enter a Boolean expression: it can be used to allow or deny conditions on label-based policies. For examples and details, see "Using Tag Attributes and Values in Ranger Tag-Based Policy Conditions". Click "Save" to save the policy conditions. |
表二:Allow, Exclude from Allow, Deny, and Exclude from Deny Conditions
| label | description |
|---|---|
| Select Group | Specify the group to which this policy applies. To specify the group as the administrator of the selected resource, specify administrator privileges. (Administrators can create sub-policies based on existing policies). The public group contains all users, so setting conditions for the public group applies to all users. |
| Select User | Specify a specific user (outside the specified group) to apply this policy or designate a specific user as the administrator of this policy. (Administrators can create sub-policies based on existing policies). |
| Policy Conditions (applied at the item level) | Click "Add Condition" to add a policy condition. Currently "Access after expiration date?" "(Yes/No)" is the only policy condition available. Visit after expiry_date (yes/no)?: To set this condition, enter yes in the text box, and then click the check mark button to add the condition. Enter a Boolean expression: it can be used to allow or deny conditions on label-based policies. For examples and details, see "Using Tag Attributes and Values in Ranger Tag-Based Policy Conditions". |
| Component Permissions | Click "Add Permission" to add or edit component conditions. To add component permissions, enter the component name in the text box, and then use the check boxes to specify the component permissions. Click the check mark button to add the selected component conditions to the policy. |
-
You can use the plus (+) symbol to add additional conditions. Conditions are evaluated in the order listed in the strategy. The condition at the top of the list is applied first, then the second condition, then the third condition, and so on.
-
Click "Add" to add a new policy
Use tag attributes and values in policy conditions based on Ranger tags
Entering a Boolean expression allows Ranger to use tag attributes and values when configuring tag-based policy allow or deny conditions. It allows administrators to provide boolean expressions using tag attributes.
Policy conditions are introduced in the label service definition:
"itemId":2,
"name":"expression",
"evaluator":
"org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
"evaluatorOptions" : {
"engineName":"JavaScript",
"ui.isMultiline":"true"},
"label":"Enter boolean expression",
"description": "Boolean expression"
}
The following variables can be referenced in boolean expressions:
• ctx: context processor, which contains the API for accessing metadata information from the request.
•Tag: the information of the current tag.
•TagAttr: Contains the mapping of all current tag attributes and corresponding values.
The following api can be obtained from the request:
getUser(): returns a string.
•GetUserGroups(): returns a set of strings containing groups.
•GetClientIPAddress(): returns a string containing the client IP address.
•GetAction(): returns a string containing the requested action information.
Two scenarios:
• It is necessary to deny user "sam" policy
access based on the IP address of the machine where the resource is located .
Use the following boolean expression to set rejection conditions for user sam:
if ( tagAttr.get('ipAddr').equals(ctx.getClientIPAddress()) ) {
ctx.result = true;
}
To deny a specific user "bob" from a group "users", only when this user is accessing a resource of a specific IP, a tag attribute is defined in Atlas. Use the following Boolean expression to set rejection conditions for group users:
if (tagAttr.get('ipAddr').equals(ctx.getClientIPAddress()) &&
ctx.getUser().equals("bob")) {
ctx.result=true;
}
Add a tag-based PII strategy
An example of how to add a strategy based on PII tags. In this example, we create a tag-based strategy for the object marked "PII" in Atlas. Allow members of the "audit" group to access objects marked "PII". All other users ("public" group) are denied access.
process
- Choose Access Manager> Tag-Based Policies, and then select Tag-Based Services.
2. On the Policy List page, click Add New Policy.
The system displays the "Create Policy" page:
3. Enter the following information in the "Create Policy" page:
Table 1: Policy details
| Field | description |
|---|---|
| Policy Type | The default is Access. |
| Policy Name | PII |
| TAG | PII |
| Audit Logging | YES |
| Description | Restrict access to resources with the PII tag. |
Table 2: Allowable conditions
| Field | description |
|---|---|
| Select Group | The default is Access. |
| Select User | no |
| Policy Conditions | no |
| Component Permissions | Hive (select all permissions) |
Table 3: Rejection conditions
| Field | description |
|---|---|
| Select Group | The default is public. |
| Select User | no |
| Policy Conditions | no |
| Component Permissions | Hive (select all permissions) |
表四:Exclude from Deny Conditions
| Field | description |
|---|---|
| Select Group | audit |
| Select User | no |
| Policy Conditions | no |
| Component Permissions | Hive (select all permissions) |
In this example, we use allow conditions to grant access to the "audit" group, and then use deny conditions to deny access to the "public" group. Because the "public" group includes all users, we use the Exclude from Deny condition to exclude the "audit" group, which actually restores the original allowable access conditions of the "audit" group.
- Click "Add" to add a new policy
Default expiration tag policy
When an instance of the label service is created, the EXPIRES_ON label policy is automatically created. This default policy denies access to objects marked with EXPIRES_ON after the expiration date specified in the Atlas tag attribute. You can use the following steps to view the default EXPIRES_ON strategy.
process
- Choose Access Manager> Tag-Based Policies, and then select Tag-Based Services.
- On the policy list page, click the edit icon of the default EXIRES_ON policy.
The "Edit Policy" page appears:
- 我们可以看到,默认的EXPIRES_ON策略拒绝所有用户和所有组件在Atlas标记属性中指定的到期日之后的访问。
导入和导出基于标签的策略
您可以在恢复操作期间或将策略从测试集群移动到生产集群时,从Ranger Admin UI(用于集群弹性(备份))导出和导入策略。您可以导入或导出特定的策略子集(比如那些属于特定资源或用户/组的策略),或者通过Ranger Admin UI克隆整个存储库(或多个存储库)。
接口
您可以在“基于标签的策略”页面中导入和导出策略:
您还可以在“报表”页面导出策略:
上表 :导出策略选项
| 服务管理页 | 报告页 | |
|---|---|---|
| Formats | Json | JSON&Exce&CSV |
| Filtering Supported | none | yes |
| Specific Service Export | yes | 通过过滤 |
过滤
在从Reports页面导出时,您可以在保存文件之前应用过滤器。
导出格式
导出策略的格式包括:
•Excel
•JSON
•CSV
备注:导入策略时不支持CSV格式。
在“服务管理器”界面导出策略时,会自动以JSON格式下载策略。如果希望以Excel或CSV格式导出,请从Reports page下拉菜单中导出策略。
需要用户角色
管理员管理员用户只能导入和导出基于资源和标签的策略。此用户的凭据设置在Ranger Configs > Advanced Ranger -env中标记为admin_username(默认值:admin/admin)的字段中。
“Ranger KMS keyadmin”用户只能导入导出KMS策略。此用户的默认凭据是keyadmin/keyadmin。
限制
要成功导入策略,请使用以下数据库版本:
•MariaDB: 10.1.16 +
•MySQL: 5.6.x +
•甲骨文:11 gr2 +
•PostgreSQL: 8.4 +
MS SQL: 2008 R2+
不支持部分策略导入。
导入基于标签的策略
如何导入基于标签的策略。
过程
- 在“基于标签的策略”页面上,单击其中一个导入图标:
- 选择要导入的文件。
只能导入JSON格式的策略。
3. (可选)配置导入操作:
a)覆盖策略选项删除目标存储库的所有策略。
b)分区映射—不选择目的时,导入所有服务。选择目的地址时,只导入与该安全区域关联的服务。
c)服务映射将下载的文件存储库,即源存储库映射到目标存储库。您可以使用红色的x符号从导入中删除服务。向下滚动以查看所有的服务映射。
4. 点击导入。
导入文件后会出现确认消息。
Based on export strategy
How to export all tag-based strategies.
Regarding this task,
only policies in JSON format can be exported from the "Tag-Based Policies" page. If you want to export in Excel or CSV format, please export the policy from the drop-down menu on the report page.
Procedure
•From Access Manager>Tag-Based Policy Page:
a) Click the Export button or icon: the
"Export Policy" page appears.
b) Delete the component or specific service and click "Export".
The file is downloaded in your browser as a JSON file.
• From the report page:
a) Filter the component tags and click Search.
b) (Optional) Apply filters before exporting files.
c) Open the export drop-down menu:
d) Select the file format.
The file is downloaded in the browser.