Strategies for configuring resources
In the "Resource-based Policy Service Manager", click the service name to view the policy associated with the service. The service's strategy will be displayed in a list with a search box.
• To add a new resource-based policy to the service, click add new policy.
• To edit a resource-based policy, click the edit icon () on the right side of the service entry. Edit the policy settings and click Save to save the changes.
• To delete a resource-based policy, click the delete icon () on the right side of the service entry
Configure resource strategy: HBase
How to add new strategies to existing HBase services
- On the "Service Manager" page, select an existing HBase service.
The "Policy List" page appears. - Click "Add New Policy."
The system displays the "Create Policy" page
- Follow the steps below to complete the "Create Policy" page
Table 1: Strategy details
| label | description |
|---|---|
| Policy Name | Enter the appropriate policy name. This name cannot be repeated in the system. This field is required. |
| normal/override | Allows you to specify the coverage strategy. When "Overwrite" is selected, the access rights in the policy will overwrite the access rights in the existing policy. This feature can be used together with "Add Validity Period" to create temporary access policies that override existing policies. |
| HBase Table | Choose the appropriate database. You can select multiple databases for a particular strategy. This field is required. |
| HBase Column-family | For the selected table, specify the column family to which the policy applies. |
| HBase Column | For the selected table and column family, specify the columns to which the policy applies. |
| Description | (Optional) Describe the purpose of this strategy |
| Audit Logging | Specify whether to audit this policy. (Deselect to disable auditing). |
| Policy Label | Assign a label to the policy. You can search reports and filter strategies based on these tags. |
| Add Validity Period | Specify the start and end time of the strategy. |
Table 2: Allowable conditions
| label | description |
|---|---|
| Select Group | Specify the group to which this policy applies. To designate a group as an administrator, select the "Delegate Administrators" checkbox. The administrator can edit or delete the policy, or create a sub-policy based on the original policy. The public group contains all users, so granting access to the public group will grant access to all users. |
| Select User | Specify the users to whom this policy applies. To designate a user as an administrator, select the "Delegate Administrator" check box. The administrator can edit or delete the policy, or create a sub-policy based on the original policy. |
| Permissions | Add or edit permissions: read, write, create, manage, select/deselect all. |
| Delegate Admin | You can use Delegate Admin to assign administrator rights to users or groups specified in the policy. The administrator can edit or delete the policy, or create a sub-policy based on the original policy. |
- You can use the plus sign (+) to add additional conditions. Conditions are evaluated in the order listed in the strategy. The condition at the top of the list is applied first, then the second condition, then the third condition, and so on.
- Click Add.
What needs to be done next
Provide user access to HBase database tables from the command line HBase provides a method to directly manage user access to HBase database tables from the command line. The most commonly used commands are:
- Grant
syntax:
grant '<user-or-group>','<permissions>','<table>
For example, to create a policy to grant user1 read and write permissions to the usertable table, the command would be:
grant 'user1','RW','usertable'
The syntax for granting CREATE and ADMIN permissions is the same.
- Revocation
grammar
revoke '<user-or-group>','<usertable>'
For example, to revoke user1's read and write access to the usertable table, the command is as follows:
revoke 'user1','usertable'
note:
与Hive不同,HBase没有针对每个用户权限的特定的revoke命令。
Configure resource policy: HDFS
How to add new strategies to existing HDFS services.
About this task
Through configuration, Apache Ranger allows checking Ranger policies and HDFS permissions on user requests. When the NameNode receives a user request, the Ranger plugin checks the policy set through the Ranger Service Manager. If there is no policy, the Ranger plugin will check the permissions set in HDFS.
We recommend to create permissions in Ranger Service Manager and have restricted permissions at the HDFS level.
process
- On the "Service Manager" interface, select an existing HDFS service.
The "Policy List" page appears. - Click "Add New Policy."
The system displays the "Create Policy" page.
3. Follow the steps below to complete the "Create Policy" page:
| Field | description |
|---|---|
| Policy Name | Strategy name Enter a unique name for the strategy. The name cannot be repeated anywhere in the system. |
| normal/override | Allows you to specify the coverage strategy. When "Overwrite" is selected, the access rights in the policy will overwrite the access rights in the existing policy. This feature can be used together with "Add Validity Period" to create temporary access policies that override existing policies. |
| Resource Path | Define the resource path of the policy folder/file. The default recursion setting specifies that the resource path is recursive; you can also specify a non-recursive path. |
| Description | (Optional) Describe the purpose of this policy. |
| Audit Logging | Specify whether to audit this policy. (Deselect to disable auditing). |
| Policy Label | Assign a label to the policy. You can search reports and filter strategies based on these tags. |
| Add Validity Period | Specify the start and end time of the strategy |
Under permitted conditions
| label | description |
|---|---|
| Select Group | Specify the group to which this policy applies. To designate a group as an administrator, select the "Delegate Administrators" checkbox. The administrator can edit or delete the policy, or create a sub-policy based on the original policy. The public group contains all users, so granting access to the public group will grant access to all users. |
| Select User | Specify the users to whom this policy applies. To designate a user as an administrator, select the "Delegate Administrator" check box. The administrator can edit or delete the policy, or create a sub-policy based on the original policy. |
| Permissions | Add or edit permissions: read, write, execute, select all/deselect all. |
| Delegate Admin | You can use Delegate Admin to assign administrator rights to users or groups specified in the policy. The administrator can edit or delete the policy, or create a sub-policy based on the original policy. |
- You can use the plus sign (+) to add additional conditions. Conditions are evaluated in the order listed in the strategy. The condition at the top of the list is applied first, then the second condition, then the third condition, and so on.
- Click Add.