Help Center/ MapReduce Service/ Component Operation Guide (LTS) (Ankara Region)/ Using Ranger/ Adding a Ranger Access Permission Policy for HetuEngine
Updated on 2024-11-29 GMT+08:00
View PDF
Share

Adding a Ranger Access Permission Policy for HetuEngine

Scenario

Ranger administrators can use Ranger to configure management permissions on resources such as catalog, trinouser, systemproperty, function, schema, sessionproperty, table, procedure, and columns of data sources for HetuEngine users.

Prerequisites

  • The Ranger service has been installed and is running properly.
  • You have created users, user groups, or roles for which you want to configure permissions.
  • The users have been added to the hetuuser group.
  • Before using HetuEngine, ensure that the client operator or user in the configuration file for connecting to the data source has the expected operation permission. If the user does not have it, configure the permission by referring to the corresponding data source permission requirements.

Procedure

  1. Log in to the Ranger web UI as the Ranger administrator rangeradmin. For details, see Logging In to the Ranger Web UI.
  2. On the homepage, click HetuEngine in the TRINO area.
  3. On the Access tab page, click Add New Policy to add a HetuEngine permission control policy.
  4. Configure the parameters listed in the table below based on the service demands.

    Granting the access policy to the catalog where the table is located is a basic policy and must be configured before you configure other policies. For details, see Table 2.

    Table 1 HetuEngine permission parameters

    Parameter

    Description

    Policy Name

    Policy name, which can be customized and must be unique in the service.

    • Enabled: Enable the current policy.
    • Disabled: Disable the current policy.

    Policy Conditions

    IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    catalog

    Name of the data source catalog to which the policy applies. If this parameter is set to *, the policy applies to all catalogs.

    • Include: The policy applies to the current input object.
    • Exclude: The policy applies to objects other than the current input.

    trinouser

    Name of the trinouser to which the policy applies. If this parameter is set to *, all trinousers are used for simulated access.

    • Include: The policy applies to the current input object.
    • Exclude: The policy applies to objects other than the current input.

    systemproperty

    Name of the system session attribute to which the policy applies. The value * indicates all system session attributes.

    • Include: The policy applies to the current input object.
    • Exclude: The policy applies to objects other than the current input.

    function

    Name of the function to which the policy applies. The value * indicates all functions.

    • Include: The policy applies to the current input object.
    • Exclude: The policy applies to objects other than the current input.

    schema

    Name of the schema to which the policy applies. The value * indicates all schemas.

    • Include: The policy applies to the current input object.
    • Exclude: The policy applies to objects other than the current input.

    sessionproperty

    Data source session attribute to which the policy applies. The value * indicates all session attributes of the data source.

    • Include: The policy applies to the current input object.
    • Exclude: The policy applies to objects other than the current input.

    table

    Name of the table or view to which the policy applies. If this parameter is set to *, the policy applies to all tables.

    • Include: The policy applies to the current input object.
    • Exclude: The policy applies to objects other than the current input.

    procedure

    Name of the procedure to which the policy applies. The value * indicates all procedures.

    • Include: The policy applies to the current input object.
    • Exclude: The policy applies to objects other than the current input.

    column

    Name of the column to which the policy applies. The value * indicates all columns.

    Description

    Policy description.

    Audit Logging

    Whether to audit the policy.

    Allow Conditions

    Policy allowed condition. You can configure permissions and exceptions allowed by the policy.

    In the Select Role, Select Group, and Select User columns, select the role, user group, or user to which you want to assign permissions. Click Add Conditions, add the IP address range to which the policy applies, and click Add Permissions to add corresponding permissions.

    • Select: permission to query data
    • Insert: permission to insert data
    • Create: permission to create data
    • Drop: permission to drop data
    • Delete: permission to delete data
    • Use: permission to use data
    • Alter: permission to alter data
    • Grant: Grants specific permissions to a specific user.
    • Revoke: Revokes specific permissions from a specific user.
    • Show: Displays the types and other attribute permissions of all authorized columns in a specified table.
    • Impersonate: A Kerberos or LDAP authenticated user simulates Trino to query user permissions.
    • Update: permission required for update
    • execute: permission to execute functions
    • All: all permissions (including the Admin permission)
    • Select/Deselect All: Select or deselect all.

    To add multiple permission control rules, click .

    If users or user groups in the current condition need to manage this policy, select Delegate Admin. These users will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy.

    Deny Conditions

    Policy rejection condition, which is used to configure the permissions and exceptions to be denied in the policy. The configuration method is the same as that of Allow Conditions.
    • The configured permission must match the level to which the permission belongs. If they do not match, the permission configuration does not take effect.
    • Ranger checks the permissions of the user twice. Ranger checks whether the user has the permission to access the catalog and then checks the permissions involved in the access.
    Table 2 Setting permissions

    Task

    Role Authorization

    Granting the access policy to the catalog where the table is located (mandatory before other policies are configured)
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the resource to be authorized, for example, hive.
    3. schema: Select none from the drop-down list box.
    4. Enter the authorized HetuEngine user in the Select User text box.
    5. In Permissions, select Select.
    NOTICE:

    This policy is a basic policy. Before configuring other policies, ensure that this policy has been configured.

    Granting the permission to access the remote HetuEngine table
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the table to be authorized, for example, systemremote and svc.
    3. Select schema from the drop-down list box under Catalog and enter * in the text box.
    4. Select table from the drop-down list box under schema and enter * in the text box.
    5. Select column from the drop-down list box under table and enter * in the text box.
    6. Enter the authorized remote HetuEngine user in the Select User text box.
    7. In Permissions, select Create, Drop, Select, and Insert.
    NOTE:

    This policy is a basic policy for remote HetuEngine tables. Before configuring other policies, ensure that this policy has been configured.

    Create schemas
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target schema to be authorized, for example, hive.
    3. schema: Select none from the drop-down list box.
    4. Enter the authorized HetuEngine user in the Select User text box.
    5. In Permissions, select Create.

    Drop schemas
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target schema to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the target schema to be authorized in the text box. If this parameter is set to *, all schemas under the current catalog are authorized.
    4. table: Select none from the drop-down list box.
    5. Enter the authorized HetuEngine user in the Select User text box.
    6. In Permissions, select Drop.

    Show schemas

    Add permissions on the catalog to which the schema belongs.

    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target schema to be authorized, for example, hive.
    3. schema: Select none from the drop-down list box.
    4. Enter the authorized HetuEngine user in the Select User text box.
    5. In Permissions, select Show and Select.

    Add the show permission for a schema.

    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target schema to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the target schema to be authorized in the text box. If this parameter is set to *, all schemas under the current catalog are authorized.
    4. table: Select none from the drop-down list box.
    5. Enter the authorized HetuEngine user in the Select User text box.
    6. In Permissions, select Select.
    NOTE:
    • When running the show schemas command, you need to configure the Show permission on the catalog. Similarly, to run the show tables command, configure the Show permission on the schema.
    • After the authentication is complete, the obtained schema and table lists are filtered and only schemas and tables with the Select permission are displayed. So, you need to configure the Select permission for schemas and tables. When you run the Show command, only schemas and tables with the Select permission are displayed.
    • Only when you have the Select permission on a catalog, the schemas and tables on which you have the permission can be displayed.

    Create table
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. table: Select none from the drop-down list box.
    5. Enter the authorized HetuEngine user in the Select User text box.
    6. In Permissions, select Create.

    Drop tables
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. column: Select none from the drop-down list box.
    6. Enter the authorized HetuEngine user in the Select User text box.
    7. In Permissions, select Drop.

    Delete table
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. column: Select none from the drop-down list box.
    6. Enter the authorized HetuEngine user in the Select User text box.
    7. In Permissions, select Delete.

    Alter tables
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. column: Select none from the drop-down list box.
    6. Enter the authorized HetuEngine user in the Select User text box.
    7. In Permissions, select Alter.
    NOTE:
    • ALTER TABLE table_name DROP [IF EXISTS] PARTITION partition_spec[, PARTITION partition_spec, ...]; requires the table-level delete and column-level select permissions.
    • ALTER TABLE table_name DROP COLUMN column_name and ALTER TABLE table_name_2 EXCHANGE PARTITION require the table-level drop permission.

    Show tables

    Add permissions on the schema to which the table belongs.

    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target schema to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the target schema that allows to show table in the text box, for example, default.
    4. table: Select none from the drop-down list box.
    5. Enter the authorized HetuEngine user in the Select User text box.
    6. In Permissions, select Show.

    Add the show permission for a table.

    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the target schema that allows to show table in the text box, for example, default.
    4. table: Select none from the drop-down list box.
    5. Enter the authorized HetuEngine user in the Select User text box.
    6. In Permissions, select Select.

    Show partitions
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the target schema that allows to show table in the text box, for example, default.
    4. Select table from the schema drop-down list and enter the target table to be authorized, for example, hive_table, and the internal table corresponding to the target table, for example, hive_table$partitions.
    5. Select column from the drop-down list box under table and enter the name of the target column to be authorized in the text box. If this parameter is set to *, all columns under the current table are authorized.
    6. Enter the authorized HetuEngine user in the Select User text box.
    7. In Permissions, select Select.
    NOTE:

    When querying partitions of a table, HetuEngine converts the query to a query on the internal table Name of the table to be queried$partitions during SQL parsing.

    Insert
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. column: Select none from the drop-down list box.
    6. Enter the authorized HetuEngine user in the Select User text box.
    7. In Permissions, select Insert.

    Delete
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. column: Select none from the drop-down list box.
    6. Enter the authorized HetuEngine user in the Select User text box.
    7. In Permissions, select Delete.

    Select
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. Select column from the drop-down list box under table and enter the name of the target column to be authorized in the text box. If this parameter is set to *, all columns under the current table are authorized.
    6. Enter the authorized HetuEngine user in the Select User text box.
    7. In Permissions, select Select.

    Show columns
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target table to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the schema where the target table to be authorized resides in the text box, for example, default.
    4. Select table from the drop-down list box under schema and enter the name of the target table to be authorized in the text box. If this parameter is set to *, all tables under the current schema are authorized.
    5. column: Select none from the drop-down list box.
    6. Enter the authorized HetuEngine user in the Select User text box.
    7. In Permissions, select Select and Show.

    Set session
    1. Enter the policy name in Policy Name.
    2. Select systemproperty under Policy Label and enter the name of the session to be authorized in the systemproperty text box, for example, implicit_conversion. If an asterisk (*) is entered, all sessions are authorized.
    3. Enter the authorized HetuEngine user in the Select User text box.
    4. In Permission, select ALTER.

    Function operation
    1. Enter the policy name in Policy Name.
    2. Select function under Policy Label and enter the name of the function to be authorized in the systemproperty text box, for example, sum. If an asterisk (*) is entered, all functions are authorized.
    3. Enter the authorized HetuEngine user in the Select User text box.
    4. In Permission, select execute.

    Procedure operation
    1. Enter the policy name in Policy Name.
    2. In Catalog, enter the catalog of the target procedure to be authorized, for example, hive.
    3. Select schema from the drop-down list box under Catalog and enter the name of the schema where the target procedure to be authorized resides in the text box, for example, system.
    4. Select procedure from the drop-down list box under schema and enter the name of the target procedure to be authorized in the text box. If this parameter is set to *, all procedures under the current schema are authorized.
    5. Enter the authorized HetuEngine user in the Select User text box.
    6. In Permissions, select execute.

    Access simulation operation
    1. Enter the policy name in Policy Name.
    2. Select trinouser under Policy Label and enter the name of the trinouser to be simulated in the systemproperty text box, for example, user1. For example, if an asterisk (*) is entered, all users are simulated.
    3. Enter the authorized HetuEngine user in the Select User text box.
    4. In Permission, select Impersonate.
    • The configuration takes effect about 30 seconds after the permission is configured.
    • The current permission control is available to columns.

  5. (Optional) Add the validity period of the policy. Click Add Validity period in the upper right corner of the page, set Start Time and End Time, and select Time Zone. Click Save. To add multiple policy validity periods, click . To delete a policy validity period, click .
  6. Click Add to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.

    To disable a policy, click to edit the policy and set the policy to Disabled.

    If a policy is no longer used, click to delete it.

HetuEngine Data Masking

Ranger supports data masking for HetuEngine data. It can process the return result of the select operation performed by a user to mask sensitive information.

  1. Log in to the Ranger web UI. Click HetuEngine in the TRINO area on the homepage.
  2. On the Masking tab page, click Add New Policy to add a HetuEngine data masking policy.
  3. Configure the parameters listed in the table below based on the service demands.

    Table 3 HetuEngine data masking parameters

    Parameter

    Description

    Policy Name

    Policy name, which can be customized and must be unique in the service.

    Policy Conditions

    IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    Trino Catalog

    Name of the catalog to which the current policy applies.

    Trino Schema
    • Hive, Hudi, HBase, ClickHouse, HetuEngine, and IoTDB data sources: name of the database used by the current policy.
    • GaussDB and MySQL data sources: name of the schema used by the current policy.

    Trino Table

    Name of the table to which the current policy applies.

    Trino Column

    Name of the column to which the current policy applies.

    Description

    Policy description.

    Audit Logging

    Whether to audit the policy.

    Mask Conditions

    In the Select Role, Select Group, and Select User columns, select the object to which the permission is to be granted, click Add Conditions, add the IP address range to which the policy applies, then click Add Permissions, and select Select.

    Click Select Masking Option and select a data masking policy.

    • Redact: Use x to mask all letters and 0 to mask all digits.
    • Partial mask: show last 4: Only the last four characters are displayed, and the rest characters are displayed using x.
    • Partial mask: show first 4: Only the first four characters are displayed, and the rest characters are displayed using x.
    • Hash: Replace the original value with the hash value. The built-in to_utf8(varchar(x)) function of HetuEngine is used. This function is valid only for fields of the STRING, CHAR, and VARCHAR types.
    • Nullify: Replace the original value with the NULL value.
    • Unmasked (retain original value): Keep the original value.
    • Date: show only year: Only the year part of the date string is displayed, and the default month and date start from January and Monday (01/01).
    • Custom: You customize policies using any valid return data type which is the same as the data type in the masked column.

    To add a multi-column masking policy, click .

  4. Click Add to view the basic information about the policy in the policy list.
  5. After a user performs the select operation on a table for which a data masking policy has been configured on a HetuEngine client, the system processes the data and displays it.

HetuEngine Row-level Data Filtering

Ranger allows you to filter data at the row level when you perform the select operation on a HetuEngine data table.

  1. Log in to the Ranger web UI. Click HetuEngine in the TRINO area on the homepage.
  2. On the Row Level Filter tab page, click Add New Policy to add a row data filtering policy.
  3. Configure the parameters listed in the table below based on the service demands.

    Table 4 Parameters for filtering HetuEngine row data

    Parameter

    Description

    Policy Name

    Policy name, which can be customized and must be unique in the service.

    Policy Conditions

    IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    Trino Catalog

    Name of the catalog to which the current policy applies.

    Trino Schema
    • Hive, Hudi, HBase, ClickHouse, HetuEngine, and IoTDB data sources: name of the database used by the current policy.
    • GaussDB and MySQL data sources: name of the schema used by the current policy.

    Trino Table

    Name of the table to which the current policy applies.

    Description

    Policy description.

    Audit Logging

    Whether to audit the policy.

    Row Filter Conditions

    In the Select Role, Select Group, and Select User columns, select the object to which the permission is to be granted, click Add Conditions, add the IP address range to which the policy applies, then click Add Permissions, and select Select.

    Click Row Level Filter and enter data filtering rules.

    For example, if you want to filter the data in the zhangsan row in the name column of table A, the filtering rule is name <>'zhangsan'. For more information, see the official Ranger document.

    To add more rules, click .

  4. Click Add to view the basic information about the policy in the policy list.
  5. After a user performs the select operation on a table for which a data masking policy has been configured on a HetuEngine client, the system processes the data and displays it.
Parent topic: Using Ranger