Configure security zones

Security zones can be configured in Ranger 2.1.0 and later. You can allocate resources to different security zones and assign one or more administrators for each security zone. This way, different types of resources can be separately managed. This topic describes how to configure security zones.

Background information

For example, a company has two departments, Department A and Department B. Department A uses the Hive database named a and HDFS path /a. Department B uses the Hive database named b and HDFS path /b. You can allocate Hive database a and HDFS path /a to security zone named a, allocate Hive database b and HDFS path /b to security zone named b, and then assign administrators for the security zones. Then, the administrators can configure permissions on the resources in their own security zones in a centralized manner.

Configurations of security zone a and security zone b:

Zone: a
  service: emr-hive; path=/a/*,
  service: emr-hdfs; database=a
  
Zone: b
  service: emr-hive; path=/b/*,
  service: emr-hdfs; database=b

An administrator can configure permissions on resources in their own security zone. If they configure permissions on resources in other security zones, the configurations do not take effect. When a Ranger plug-in authenticates a user, it first determines the security zone to which the required resource belongs. Then, the Ranger plug-in authenticates the user based on the permissions configured in the security zone. If the required resource does not belong to a security zone, Ranger implements authentication based on the permissions that are not configured in a specific security zone.

Prerequisites

An E-MapReduce (EMR) cluster is created, and Ranger is selected from the optional services when you create the cluster. For more information, see Create a cluster.
Hive and HDFS are integrated into Ranger. For more information, see Enable Hive in Ranger and configure related permissions and Integrate HDFS with Ranger.

Limits

Security zones can be configured only in EMR V5.X.

Create security zone administrators

In this example, the admin_a and admin_b users are created as security zone administrators.

Access the web user interface (UI) of Ranger. For more information, see Access the web UI of Ranger.
In the top navigation bar, choose Settings > Users/Groups/Roles.
On the Users tab, click Add New User.
On the User Detail page, enter user information, set the Select Role parameter to User, and then click Save.
Important You must set the Select Role parameter to User. If you set this parameter to Admin, the user is created as a super administrator. A super administrator can configure permissions on all resources in all security zones. In this example, an administrator needs to configure permissions only on resources in a specific security zone.

Perform the following steps to configure Security Zone a and Security Zone b:

Access the web UI of Ranger. For more information, see Access the web UI of Ranger.
In the top navigation bar, click Security Zone.
On the Security Zone page, click the icon in the Security Zones section.

On the Create Zone page, configure the parameters that are described in the following table.


Parameter	Description	Example
Zone Name	The name of the security zone.	a
Admin Users	The administrators of the security zone. The administrators are created in the Settings module. When you create administrators, you must set the Select Role parameter to User. For more information, see the Create security zone administrators section of this topic.	admin and admin_a
Auditor Users	The users who are allowed to view the audit logs of the security zone.	admin and admin_a
Select Resource Services	The services that you want to use in the security zone.	emr-hive and emr-hdfs
Resource	The resources that you want to allocate to the security zone.	database=a and path=/a/*

Click Save. Security Zone a is configured.
Repeat Step 3 to Step 5 to configure Security Zone b.

Test security zones

Log on to the web UI of Ranger as the admin_a user. For more information, see Access the web UI of Ranger.
In the upper-right corner, select a in the Security Zone section.
Click emr-hive to view the permissions for the emr-hive service.
You can view and modify only the permissions that are configured in Security Zone a. To perform a test, you can configure permissions on a resource that belongs to Security Zone b. For example, grant the test user the SELECT permissions on the test table of Hive Database b. Then, use Beeline to perform a test. The test results show that the configuration does not take effect. Hive Database b belongs to Security Zone b. Therefore, when Ranger authenticates the test user, only permissions configured in Security Zone b are verified. As a result, the permissions that you configured on Hive Database b in Security Zone a do not take effect.
Log on to the web UI of Ranger as the admin_b user. For more information, see Access the Ranger UI.
In the upper-right corner, select b in the Security Zone section.
Click emr-hive to view the permissions for the emr-hive service.
You can view and modify only the permissions that are configured in Security Zone b. To perform a test, you can configure permissions on a resource that belongs to Security Zone b. For example, grant the test user the SELECT permissions on the test table of Hive Database b. Use Beeline to perform a test. The test results show that the configuration takes effect.