Help Center> MapReduce Service> Component Operation Guide (LTS)> Using Ranger> Adding a Ranger Access Permission Policy for OBS
Updated on 2024-05-29 GMT+08:00
View PDF

Adding a Ranger Access Permission Policy for OBS

Scenario

Ranger administrators can use Ranger to configure the read and write permissions on OBS directories or files for OBS users.

This section applies to MRS 3.3.0-LTS or later.

Prerequisites

  • The Ranger service has been installed and is running properly.
  • You have created a user group for which you want to configure permissions.
  • The Guardian service has been installed.

Procedure

  1. Log in to the Ranger web UI as the Ranger administrator rangeradmin. For details, see Logging In to the Ranger Web UI.
  2. On the home page, click the component plug-in name in the EXTERNAL AUTHORIZATION area, for example, OBS.
  3. Click Add New Policy to add an OBS permission control policy.
  4. Configure the parameters listed in the table below based on service requirements.

    Table 1 OBS permission parameters

    Parameter

    Description

    Policy Name

    Policy name, which can be customized and must be unique in the service

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    Resource Path

    Resource path, which is the OBS path folder or file to which the current policy applies. You can enter multiple values but cannot use the wildcard (*). The configured OBS path folder or file must exist. Otherwise, the authorization fails.

    By default, permission recursion is enabled on OBS and cannot be modified. Subdirectories without any permission inherit all permissions of their parent directories.

    Description

    Policy description

    Audit Logging

    Whether to audit the policy

    Allow Conditions

    Policy allowed condition. You can configure permissions allowed by the policy.

    In the Select Group column, select the created user group to which you want to grant permissions. (The configuration of Select Role or Select User does not take effect.)

    Click Add Permissions to add permissions.

    • Read: permission to read data
    • Write: permission to write data
    • Select/Deselect All: permission to select or deselect all

    To add multiple permission control rules, click . To delete a permission control rule, click .

    For example, to grant the read and write permissions on the obs://hs-test/user/hive/warehouse/o4 table to user group hs_group1 (A user group name can contain a maximum of 52 characters, including numbers (0 to 9), letters (A to Z or a to z), underscores (_), and number signs (#). Otherwise, the policy fails to add.), the configuration is as follows:

  5. Click Add to view basic information about the policy in the policy list. After the policy takes effect, check whether related permissions are normal.

    If a policy is no longer used, click to delete it.

Parent topic: Using Ranger