Adding a Ranger Access Permission Policy for Elasticsearch

Scenario

Ranger administrators can use Ranger to configure the permissions on Elasticsearch index creation and deletion for Elasticsearch users.

Prerequisites

• The Ranger service has been installed and is running properly.
• You have created users, user groups, or roles for which you want to configure permissions.

Procedure

1. Log in to the Ranger web UI as the Ranger administrator rangeradmin. For details, see Logging In to the Ranger Web UI.
2. On the home page, click the component plug-in name in the ELASTICSEARCH area, for example, Elasticsearch.
3. Click Add New Policy to add an Elasticsearch permission control policy.
4. Configure the parameters listed in the table below based on the service demands.

   Table 1 Elasticsearch permission parameters

   Parameter	Description
   Policy Name	Policy name, which can be customized and must be unique in the service.
   Policy Conditions	IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.
   Policy Label	A label specified for the current policy. You can search for reports and filter policies based on labels.
   Index	Index name, index alias, or index template name. This parameter is used to configure the index or index template to which the current policy applies. Multiple values can be entered. The wildcard * is supported.
   Description	Policy description.
   Audit Logging	Whether to audit the policy.
   Allow Conditions	Permission and exception conditions allowed by a policy. The priority of an exception condition is higher than that of a normal condition. In the Select Role, Select Group, and Select User columns, select the role, user group, or user to which you want to assign permissions. NOTICE: When setting the Select Group column, do not add the elasticsearch user group to the policy. Otherwise, the permission may be amplified. Click Add Conditions, add the IP address range to which the policy applies, and click Add Permissions to add corresponding permissions. all: executing all permissions monitor: index monitoring permission, including cat_index_recovery manage: index management permission, including monitor and cat_index_recovery view_index_metadata: permission to view index metadata, including indeces_search_shards and cat_index_metadata read: index read permission, including clear_search_scroll read_cross_cluster: cross-cluster index read permission, including indices_search_shards index: index document write/update permission, including indices_put, indices_bulk, and indices_index create: index write permission, including indices_put, indices_bulk, and indices_index delete: permission to delete index documents, including indices_bulk write: permission to write, update, and delete index documents, including the indices_put permission delete_index: permission to delete an index create_index: permission to create an index cluster_manage: permission to manage clusters, including cluster_monitor cluster_monitor: cluster monitoring permission, including clear_search, cat_index_recovery and cat_index_metadata indices_put: permission to set index mapping indices_search_shards: permission to query index shards indices_bulk: batch request permission indices_index: permission to write index files cat_index_recovery: permission to execute the cat recovery API cat_index_metadata: permission to execute the cat indices API clear_search_scroll: permission to query indexes in rolling mode and clear the rolling query cache asynchronous_search: permission to perform asynchronous search script: permission to execute scripts Select/Deselect All: permission to select or deselect all If users or user groups in the current condition need to manage this policy, select Delegate Admin. These users or user groups will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy. To add multiple permission control rules, click . To delete a permission control rule, click .
   Deny All Other Accesses	Whether to reject all other access requests.

   Table 2 Setting permissions

   Task	Role Authorization
   Setting the administrator permission	On the home page, click the component plug-in name in the ELASTICSEARCH area, for example, Elasticsearch. Select the policy whose Policy Name is all - index and click to edit the policy. In the Allow Conditions area, select a user from the Select User drop-down list.
   Setting a user's read and write permissions on a specified index	Configure an index or index template in the Index area. In the Allow Conditions area, select a user from the Select User drop-down list. Click Add Permissions and select read and write.

   Example: Grant user testuser the permission to create, delete, read, write, monitor, and manage indexes starting with index.

   

   Example: Grant the permission to run the client sample to user testuser.

   

5. (Optional) Add the validity period of the policy. Click Add Validity period in the upper right corner of the page, set Start Time and End Time, and select Time Zone. Click Save. To add multiple policy validity periods, click . To delete a policy validity period, click .
6. Click Add to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.

   To disable a policy, click to edit the policy and set the policy to Disabled.

   If a policy is no longer used, click to delete it.