Help Center/ MapReduce Service/ Component Operation Guide (LTS)/ Using Ranger/ Configuration Examples for Ranger Permission Policy/ Adding a Ranger Access Permission Policy for OBS
Updated on 2024-10-09 GMT+08:00
View PDF
Share

Adding a Ranger Access Permission Policy for OBS

Scenario

Ranger administrators can use Ranger to configure the read and write permissions on OBS directories or files for OBS users.

This section applies only to MRS 3.3.0-LTS or later.

Prerequisites

  • The Ranger service has been installed and is running properly.
  • You have created a user group for which you want to configure permissions.
  • The Guardian service has been installed.

Procedure

  1. Log in to the Ranger web UI as the Ranger administrator rangeradmin. For details, see Logging In to the Ranger Web UI.
  2. On the home page, click the component plug-in name in the EXTERNAL AUTHORIZATION area, for example, OBS.
  3. Click Add New Policy to add an OBS permission control policy.
  4. Configure the parameters listed in the table below based on service requirements.

    Table 1 OBS permission parameters

    Parameter

    Description

    Policy Name

    Policy name, which can be customized and must be unique in the service.

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    Resource Path

    Resource path, which is the OBS path folder to which the current policy applies. You can enter multiple values but cannot use wildcards (*). The configured OBS path folder must exist. Otherwise, the authorization fails.

    By default, permission recursion is enabled on OBS and cannot be modified. Subdirectories without any permission inherit all permissions of their parent directories.

    Description

    Policy description.

    Audit Logging

    Whether to audit the policy.

    Allow Conditions

    Policy allowed condition. You can configure permissions allowed by the policy.

    In the Select Group column, select the created user group to which you want to grant permissions. (The configuration of Select Role or Select User does not take effect.)

    Click Add Permissions to add permissions.

    • Read: permission to read data
    • Write: permission to write data
    • Select/Deselect All: permission to select or deselect all

    To add multiple permission control rules, click . To delete a permission control rule, click .

    To give user group hs_group1 the read and write access to the obs://hs-test/user/hive/warehouse/o4 table, follow the following configuration steps. Note that user group names can only contain up to 52 characters, including numbers (0 to 9), letters (A to Z or a to z), underscores (_), and number signs (#). Otherwise, the policy will fail to add.

  5. Click Add to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.

    If a policy is no longer used, click to delete it.