Updated on 2022-08-12 GMT+08:00

Rights Model

Role-based Access Control

FusionInsight adopts the role-based access control (RBAC) mode to perform rights management on the big data system. It integrates the rights management functions of the components to centrally manage rights. Common users are shielded from internal rights management details, and administrators' rights management operations are simplified, improving rights management usability and user experience.

The rights model of FusionInsight is "users-user groups-roles-rights".

Figure 1 Rights model
  • Rights

    Rights are defined by components and allow users to access resources of components. Different components have different rights for their resources.

    Example:

    • HDFS provides read, write, and execute permissions on file resources.
    • HBase provides create, write, and read permissions on table resources.
  • Role

    Role is a collection of component rights. Each role can have multiple rights of multiple components. Different roles can have the rights of a resource of one component.

  • User group

    User group is a collection of users. When a user group is bound to a role, users in this group obtain the rights defined by the role.

    Different user groups can be associated with the same role, and a user group can be associated with no role. In principle, the user group does not have the rights of any component resources.

    In some components, the system grants related rights to specific user groups by default.

  • User

    Users are visitors to the system. Each user has the rights of the user group and role associated with the user. Users need to be added to the user group or associated roles to obtain the corresponding rights.

Policy-based Access Control

The Ranger component uses policy-based access control (PBAC) to manage permissions and implement fine-grained data access control on components such as HDFS, Hive, and HBase.

The component supports only one permission control mechanism. After the Ranger permission control policy is enabled for the component, the permission on the component in the role created on FusionInsight Manager becomes invalid (The ACL rules of HDFS and Yarn components still take effect). You need to add a policy on the Ranger management page to grant permissions on resources.

The ranger permission model consists of multiple permission policies. The permission policies are as follows:

  • Resource

    Objects provided by components for users to access, such as HDFS files or folders, queues in Yarn, and databases, tables, and columns in Hive.

  • User

    Indicates the user who accesses the system. The rights of each user are obtained based on the policy associated with the user. Information about users, user groups, and roles in the LDAP is periodically synchronized to the Ranger.

  • Permission

    In a policy, you can configure various access conditions for resources, such as file read/write, permission conditions, rejection conditions, and exception conditions.