Help Center/ MapReduce Service/ Component Operation Guide (LTS)/ Using Ranger/ Adding a Ranger Access Permission Policy for HetuEngine
Updated on 2023-01-11 GMT+08:00

Adding a Ranger Access Permission Policy for HetuEngine

Scenario

Ranger administrators can use Ranger to configure the permission to manage databases, tables, and columns of data sources for HetuEngine users.

Prerequisites

  • The Ranger service has been installed and is running properly.
  • You have created users, user groups, or roles for which you want to configure permissions.
  • The users have been added to the hetuuser group.
  • Before using HetuEngine, ensure that the client operator or user in the configuration file for connecting to the data source has the expected operation permission. If the user does not have it, configure the permission by referring to the corresponding data source permission requirements.

Procedure

  1. Log in to the Ranger web UI. Click HetuEngine in the PRESTO area on the homepage.
  2. On the Access tab page, click Add New Policy to add a HetuEngine permission control policy.
  3. Configure the parameters listed in the table below based on the service demands.

    Table 1 HetuEngine permission parameters

    Parameter

    Description

    Policy Name

    Policy name, which can be customized and must be unique in the service.

    • Enabled: Enable the current policy.
    • Disabled: Disable the current policy.

    Policy Conditions

    IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    Presto Catalog

    Name of the data source catalog to which the policy applies. If this parameter is set to *, the policy applies to all catalogs.

    • Include: The policy applies to the current input object.
    • Exclude: The policy applies to objects other than the current input.

    Schema

    Name of the schema to which the policy applies. The value * indicates all schemas.

    • Include: The policy applies to the current input object.
    • Exclude: The policy applies to objects other than the current input.

    table

    Name of the table or view to which the policy applies. If this parameter is set to *, the policy applies to all tables.

    • Include: The policy applies to the current input object.
    • Exclude: The policy applies to objects other than the current input.

    Column

    Name of the column to which the policy applies. The value * indicates all columns.

    Description

    Policy description.

    Audit Logging

    Whether to audit the policy.

    Allow Conditions

    Policy allowed condition. You can configure permissions and exceptions allowed by the policy.

    In the Select Role, Select Group, and Select User columns, select the role, user group, or user to which you want to assign permissions. Click Add Conditions, add the IP address range to which the policy applies, and click Add Permissions to add corresponding permissions.

    • Select: permission to query data
    • Insert: permission to insert data
    • Create: permission to create data
    • Drop: permission to drop data
    • Delete: permission to delete data
    • Use: permission to use data
    • Alter: permission to alter data
    • Update: permission to update data
    • Admin: admin permissions (control ACL operations, such as SET SESSION, GRANT, and REVOKE)
    • All: all permissions (including the Admin permission)
    • Select/Deselect All: Select or deselect all.

    To add multiple permission control rules, click .

    If users or user groups in the current condition need to manage this policy, select Delegate Admin. These users will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy.

    Deny Conditions

    Policy rejection condition, which is used to configure the permissions and exceptions to be denied in the policy. The configuration method is the same as that of Allow Conditions.

    Table 2 Setting permissions

    Task

    Role Authorization

    Granting the access policy to the catalog where the table is located

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the resource to be authorized, for example, hive.
    3. Enter the authorized Hetu user in the Select User text box.
    4. In Permissions, select Select.
    NOTE:

    This policy is a basic policy. Before configuring other policies, ensure that this policy has been configured.

    Granting the permission to access the remote HetuEngine table

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the table to be authorized, for example, systemremote and svc.
    3. Select schema from the drop-down list box under Presto Catalog and enter * in the text box.
    4. Select table from the drop-down list box under schema and enter * in the text box.
    5. Select column from the drop-down list box under table and enter * in the text box.
    6. Enter the authorized remote HetuEngine user in the Select User text box.
    7. In Permissions, select Create, Drop, Select, and Insert.
    NOTE:

    This policy is a basic policy for remote HetuEngine tables. Before configuring other policies, ensure that this policy has been configured.

    Create schemas

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Presto Catalog and enter the name of the target schema to be authorized in the text box. If this parameter is set to *, all schemas under the current catalog are authorized.
    4. Enter the authorized Hetu user in the Select User text box.
    5. In Permissions, select Create.

    Drop schemas

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Presto Catalog and enter the name of the target schema to be authorized in the text box. If this parameter is set to *, all schemas under the current catalog are authorized.
    4. Enter the authorized Hetu user in the Select User text box.
    5. In Permissions, select Drop.

    Create table

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. Enter the authorized Hetu user in the Select User text box.
    6. In Permissions, select Create.

    Drop tables

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. Enter the authorized Hetu user in the Select User text box.
    6. In Permissions, select Drop.

    Alter tables

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. Enter the authorized Hetu user in the Select User text box.
    6. In Permissions, select Alter.
    NOTE:

    ALTER TABLE table_name DROP [IF EXISTS] PARTITION partition_spec[, PARTITION partition_spec, ...]; requires the table-level delete and column-level select permissions.

    Show tables

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Presto Catalog and enter the name of the target schema that allows to show table in the text box, for example, default.
    4. Enter the authorized Hetu user in the Select User text box.
    5. In Permissions, select Select.

    Show partitions

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Presto Catalog and enter the name of the target schema that allows to show table in the text box, for example, default.
    4. Select table from the schema drop-down list and enter the target table to be authorized, for example, hive_table, and the internal table corresponding to the target table, for example, hive_table$partitions.
    5. Select column from the drop-down list box under table and enter the name of the target column to be authorized in the text box. If this parameter is set to *, all columns under the current table are authorized.
    6. Enter the authorized HetuEngine user in the Select User text box.
    7. In Permissions, select Select.
    NOTE:

    When querying partitions of a table, HetuEngine converts the query to a query on the internal table Name of the table to be queried$partitions during SQL parsing.

    Insert tables

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. Enter the authorized Hetu user in the Select User text box.
    6. In Permissions, select Insert.

    Delete

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. Enter the authorized Hetu user in the Select User text box.
    6. In Permissions, select Delete.

    Select

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. Select column from the drop-down list box under table and enter the name of the target column to be authorized in the text box. If this parameter is set to *, all columns under the current table are authorized.
    6. Enter the authorized Hetu user in the Select User text box.
    7. In Permissions, select Select.

    Show columns

    1. Enter the policy name in Policy Name.
    2. In Presto Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Presto Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. Select column from the drop-down list box under table and enter the name of the target column to be authorized in the text box. If this parameter is set to *, all columns under the current table are authorized.
    6. Enter the authorized Hetu user in the Select User text box.
    7. In Permissions, select Select.

    Set sessions

    1. Enter the policy name in Policy Name.
    2. Enter * in the Presto Catalog text box.
    3. Enter the authorized Hetu user in the Select User text box.
    4. Select Delegate Admin.
    • The configuration takes effect about 30 seconds after the permission is configured.
    • The current permission control is available to columns.

  4. (Optional) Add the validity period of the policy. Click Add Validity period in the upper right corner of the page, set Start Time and End Time, and select Time Zone. Click Save. To add multiple policy validity periods, click . To delete a policy validity period, click .
  5. Click Add to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.

    To disable a policy, click to edit the policy and set the policy to Disabled.

    If a policy is no longer used, click to delete it.

HetuEngine Data Masking

Ranger supports data masking for HetuEngine data. It can process the return result of the select operation performed by a user to mask sensitive information.

  1. Log in to the Ranger web UI. Click HetuEngine in the PRESTO area on the homepage.
  2. On the Masking tab page, click Add New Policy to add a HetuEngine data masking policy.
  3. Configure the parameters listed in the table below based on the service demands.

    Table 3 HetuEngine data masking parameters

    Parameter

    Description

    Policy Name

    Policy name, which can be customized and must be unique in the service.

    Policy Conditions

    IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    Presto Catalog

    Name of the catalog to which the current policy applies.

    Presto Schema

    Name of the database to which the current policy applies.

    Presto Table

    Name of the table to which the current policy applies.

    Presto Column

    Name of the column to which the current policy applies.

    Description

    Policy description.

    Audit Logging

    Whether to audit the policy.

    Mask Conditions

    In the Select Role, Select Group, and Select User columns, select the object to which the permission is to be granted, click Add Conditions, add the IP address range to which the policy applies, then click Add Permissions, and select Select.

    Click Select Masking Option and select a data masking policy.

    • Redact: Use x to mask all letters and n to mask all digits.
    • Partial mask: show last 4: Only the last four characters are displayed, and the rest characters are displayed using x.
    • Partial mask: show first 4: Only the first four characters are displayed, and the rest characters are displayed using x.
    • Hash: Replace the original value with the hash value.
    • Nullify: Replace the original value with the NULL value.
    • Unmasked (retain original value): Keep the original value.
    • Custom: You customize policies using any valid return data type which is the same as the data type in the masked column.

    To add a multi-column masking policy, click .

  4. Click Add to view the basic information about the policy in the policy list.
  5. After a user performs the select operation on a table for which a data masking policy has been configured on a HetuEngine client, the system processes the data and displays it.

HetuEngine Row-level Data Filtering

Ranger allows you to filter data at the row level when you perform the select operation on a HetuEngine data table.

  1. Log in to the Ranger web UI. Click HetuEngine in the PRESTO area on the homepage.
  2. On the Row Level Filter tab page, click Add New Policy to add a row data filtering policy.
  3. Configure the parameters listed in the table below based on the service demands.

    Table 4 Parameters for filtering HetuEngine row data

    Parameter

    Description

    Policy Name

    Policy name, which can be customized and must be unique in the service.

    Policy Conditions

    IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    Presto Catalog

    Name of the catalog to which the current policy applies.

    Presto Schema

    Name of the database to which the current policy applies.

    Presto Table

    Name of the table to which the current policy applies.

    Description

    Policy description.

    Audit Logging

    Whether to audit the policy.

    Row Filter Conditions

    In the Select Role, Select Group, and Select User columns, select the object to which the permission is to be granted, click Add Conditions, add the IP address range to which the policy applies, then click Add Permissions, and select Select.

    Click Row Level Filter and enter data filtering rules.

    For example, if you want to filter the data in the zhangsan row in the name column of table A, the filtering rule is name <>'zhangsan'. For more information, see the official Ranger document.

    To add more rules, click .

  4. Click Add to view the basic information about the policy in the policy list.
  5. After a user performs the select operation on a table for which a data masking policy has been configured on a HetuEngine client, the system processes the data and displays it.