Security zones can be configured in Ranger 2.1.0 and later. You can allocate resources to different security zones and assign one or more administrators for each security zone. This way, different types of resources can be separately managed. This topic describes how to create security zone administrators and configure security zones. In this topic, E-MapReduce (EMR) V4.9.0 (Ranger 2.1.0) is used.

Background information

For example, a company has two departments, Department A and Department B. Department A uses the Hive database named a and HDFS path /a. Department B uses the Hive database named b and HDFS path /b. You can allocate Hive database a and HDFS path /a to security zone named a, allocate Hive database b and HDFS path /b to security zone named b, and then assign administrators for the security zones. Then, the administrators can configure permissions on the resources in their own security zones in a centralized manner.

Configurations of security zone a and security zone b:
Zone: a
  service: emr-hive; path=/a/*,
  service: emr-hdfs; database=a
  
Zone: b
  service: emr-hive; path=/b/*,
  service: emr-hdfs; database=b

An administrator can configure permissions on resources in their own security zone. If they configure permissions on resources in other security zones, the configurations do not take effect. When a Ranger plug-in authenticates a user, it first determines the security zone to which the required resource belongs. Then, the Ranger plug-in authenticates the user based on the permissions configured in the security zone. If the required resource does not belong to a security zone, Ranger implements authentication based on the permissions that are not configured in a specific security zone.

Prerequisites

  • An EMR cluster is created, and Ranger is selected from the optional services when you create the cluster. For more information, see Create a cluster.
  • Hive is configured. For more information, see Hive.
  • HDFS is configured. For more information, see HDFS.

Limits

Security zones can be configured only in EMR V4.5.X and later minor versions and all EMR V5.X versions.

Considerations

Before you configure permissions on a resource that is not allocated to a specific security zone, you must first remove the security zone that is selected by default. Otherwise, the permissions do not take effect.

Click the delete icon in the Security Zone drop-down list to remove the selected security zone. delete_Zone

Create security zone administrators

  1. Access the Ranger web UI. For more information, see Access the Ranger UI.
  2. In the top navigation bar of the Ranger web UI, choose Settings > Users/Groups/Roles.
    Setting
  3. On the Users tab, click Add New User.
    Add User
  4. On the User Detail page, configure the parameters. Set Select Role to User.
    Notice Select Role must be set to User. If you set this parameter to Admin, a super administrator is created. A super administrator can configure permissions on all resources in all security zones. As a result, the expected effect that the administrator can configure permissions only on resources in a specific security zone is not achieved.
    User Detail

Configure security zones

Perform the following steps to configure security zone a and security zone b:

  1. Access the Ranger web UI. For more information, see Access the Ranger UI.
  2. In the top navigation bar of the Ranger web UI, click Security Zone.
  3. On the Security Zone page, click the add icon in the Security Zones section.
    Add Zone
  4. On the Zone Edit page, configure the parameters.
    Zone Edit
    Parameter Description Example
    Zone Name The name of the security zone that you want to configure. a
    Admin Users The administrators of the security zone. The administrators are created in the Settings module. When you create administrators, you must set Select Role to User. For more information, see Create security zone administrators. admin and admin_a
    Auditor Users The users who are allowed to view the audit logs of the security zone. admin and admin_a
    Select Resource Services The services that you want to use in the security zone. emr-hive and emr-hdfs
    Resource The resources that you want to allocate to the security zone. database=a and path=/a/*
  5. Click Save.
    Security zone a is configured.
  6. Repeat Step 3 to Step 5 to configure security zone b.
    create b

Perform tests

  1. Log on to the Ranger web UI as the admin_a user. For more information, see Access the Ranger UI.
  2. In the Security Zone section, select a.
  3. Click emr-hive to view the permissions for the emr-hive service.
    You can view and modify only the permissions that are configured in security zone a. To perform a test, you can configure permissions on a resource that belongs to security zone b. For example, grant the test user the SELECT permission on the b.test table. Then, use Beeline to perform a test. The test result shows that the configuration does not take effect. Hive database b belongs to security zone b. Therefore, when Ranger authenticates the test user, only permissions configured in security zone b are verified. As a result, the permissions that you configured on Hive database b in security zone a do not take effect. zone a
  4. Log on to the Ranger web UI as the admin_b user. For more information, see Access the Ranger UI.
  5. In the Security Zone section, select b.
  6. Click emr-hive to view the permissions for the emr-hive service.
    You can view and modify only the permissions that are configured in security zone b. To perform a test, you can configure permissions on a resource that belongs to security zone b. For example, grant the test user the SELECT permission on the b.test table. Use Beeline to perform a test. The test result shows that the configuration takes effect. zone b