vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/mrs/component-operation-guide/mrs_01_1853.html
Yang, Tong 6182f91ba8 MRS component operation guide_normal 2.0.38.SP20 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2022-12-09 14:55:21 +00:00

87 lines
11 KiB
HTML
Raw Blame History

<a name="mrs_01_1853"></a><a name="mrs_01_1853"></a>
<h1 class="topictitle1">Configuring a Security Zone</h1>
<div id="body1595917959387"><p id="mrs_01_1853__p8060118">Security zone can be configured using Ranger. <span id="mrs_01_1853__ph1166323512019">Ranger</span><span id="mrs_01_1853__ph1234963615202"> </span><span id="mrs_01_1853__ph11283915204">a</span>dministrators can divide resources of each component into multiple security zones where administrators set security policies for specified resources in the zones to facilitate management. Policies defined in a security zone apply only to resources in the zone. After service resources are allocated to the security zone, the access permission policies for the resources in the non-security zone do not take effect. The administrator of a security zone can set policies only in the security zone that the administrator belongs to.</p>
<div class="section" id="mrs_01_1853__section176431441438"><h4 class="sectiontitle">Adding a Security Zone</h4><ol id="mrs_01_1853__ol1287611964413"><li id="mrs_01_1853__li087613915442"><span>Log in to the Ranger management page as the Ranger administrator.</span></li><li id="mrs_01_1853__li687371014415"><span>Click <span class="wintitle" id="mrs_01_1853__wintitle13958330121216"><b>Security Zone</b></span>. On the zone list page, click <span><img id="mrs_01_1853__image864315138450" src="en-us_image_0000001349289401.png"></span> to add a zone.</span><p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1853__table912612911478" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a security zone</caption><thead align="left"><tr id="mrs_01_1853__row112614918477"><th align="left" class="cellrowborder" valign="top" width="20.23%" id="mcps1.3.2.2.2.2.1.2.4.1.1"><p id="mrs_01_1853__p1312669114711">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="66.45%" id="mcps1.3.2.2.2.2.1.2.4.1.2"><p id="mrs_01_1853__p1912619915474">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="13.320000000000002%" id="mcps1.3.2.2.2.2.1.2.4.1.3"><p id="mrs_01_1853__p295155416494">Example Value</p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1853__row018862516475"><td class="cellrowborder" valign="top" width="20.23%" headers="mcps1.3.2.2.2.2.1.2.4.1.1 "><p id="mrs_01_1853__p1918862514719">Zone Name</p>
</td>
<td class="cellrowborder" valign="top" width="66.45%" headers="mcps1.3.2.2.2.2.1.2.4.1.2 "><p id="mrs_01_1853__p018832584712">Security zone</p>
</td>
<td class="cellrowborder" valign="top" width="13.320000000000002%" headers="mcps1.3.2.2.2.2.1.2.4.1.3 "><p id="mrs_01_1853__p1895116542497">test</p>
</td>
</tr>
<tr id="mrs_01_1853__row2126693471"><td class="cellrowborder" valign="top" width="20.23%" headers="mcps1.3.2.2.2.2.1.2.4.1.1 "><p id="mrs_01_1853__p11264914712">Zone Description</p>
</td>
<td class="cellrowborder" valign="top" width="66.45%" headers="mcps1.3.2.2.2.2.1.2.4.1.2 "><p id="mrs_01_1853__p112611910478">Description of the security zone</p>
</td>
<td class="cellrowborder" valign="top" width="13.320000000000002%" headers="mcps1.3.2.2.2.2.1.2.4.1.3 "><p id="mrs_01_1853__p13951115494910">-</p>
</td>
</tr>
<tr id="mrs_01_1853__row11262934719"><td class="cellrowborder" valign="top" width="20.23%" headers="mcps1.3.2.2.2.2.1.2.4.1.1 "><p id="mrs_01_1853__p137066431479">Admin Users/Admin Usergroups</p>
</td>
<td class="cellrowborder" valign="top" width="66.45%" headers="mcps1.3.2.2.2.2.1.2.4.1.2 "><p id="mrs_01_1853__p1088114234611">Management users and user groups in a security zone. You can add and modify permission policies for related resources in the security zone.</p>
<p id="mrs_01_1853__p8126192477">At least one user or user group must be configured.</p>
</td>
<td class="cellrowborder" valign="top" width="13.320000000000002%" headers="mcps1.3.2.2.2.2.1.2.4.1.3 "><p id="mrs_01_1853__p19511543491">zone_admin</p>
</td>
</tr>
<tr id="mrs_01_1853__row15482155634714"><td class="cellrowborder" valign="top" width="20.23%" headers="mcps1.3.2.2.2.2.1.2.4.1.1 "><p id="mrs_01_1853__p848275618475">Auditor Users/</p>
<p id="mrs_01_1853__p20273171011486">Auditor Usergroups</p>
</td>
<td class="cellrowborder" valign="top" width="66.45%" headers="mcps1.3.2.2.2.2.1.2.4.1.2 "><p id="mrs_01_1853__p148205674711">Audit users or user groups to be added. You can view the resource permission policies in the security zone.</p>
<p id="mrs_01_1853__p19904124144812">At least one user or user group must be configured.</p>
</td>
<td class="cellrowborder" valign="top" width="13.320000000000002%" headers="mcps1.3.2.2.2.2.1.2.4.1.3 "><p id="mrs_01_1853__p149511654174917">zone_user</p>
</td>
</tr>
<tr id="mrs_01_1853__row1662115544810"><td class="cellrowborder" valign="top" width="20.23%" headers="mcps1.3.2.2.2.2.1.2.4.1.1 "><p id="mrs_01_1853__p1529956154813">Select Tag Services</p>
</td>
<td class="cellrowborder" valign="top" width="66.45%" headers="mcps1.3.2.2.2.2.1.2.4.1.2 "><p id="mrs_01_1853__p106215544810">Tag information of a service</p>
</td>
<td class="cellrowborder" valign="top" width="13.320000000000002%" headers="mcps1.3.2.2.2.2.1.2.4.1.3 "><p id="mrs_01_1853__p17951105454914">-</p>
</td>
</tr>
<tr id="mrs_01_1853__row912615954711"><td class="cellrowborder" valign="top" width="20.23%" headers="mcps1.3.2.2.2.2.1.2.4.1.1 "><p id="mrs_01_1853__p1331836124919">Select Resource Services</p>
</td>
<td class="cellrowborder" valign="top" width="66.45%" headers="mcps1.3.2.2.2.2.1.2.4.1.2 "><p id="mrs_01_1853__p9127169134715">Services and resources in a security zone.</p>
<p id="mrs_01_1853__p13590113910555">After selecting a service, you need to add specific resource objects in the <strong id="mrs_01_1853__b19936173584611">Resource</strong> column, such as the file directories of the HDFS server, Yarn queues, Hive databases and tables, and HBase tables and columns.</p>
</td>
<td class="cellrowborder" valign="top" width="13.320000000000002%" headers="mcps1.3.2.2.2.2.1.2.4.1.3 "><p id="mrs_01_1853__p159511454204912">/testzone</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="mrs_01_1853__p17692175871420">For example, to create a security zone for the<strong id="mrs_01_1853__b68158314470"> /testzone</strong> directory in HDFS, the configuration is as follows:</p>
<p id="mrs_01_1853__p4932217150"><span><img id="mrs_01_1853__image199858242113" src="en-us_image_0000001349169825.png"></span></p>
</p></li><li id="mrs_01_1853__li981513139599"><span>Click <strong id="mrs_01_1853__b59066874710">Save</strong> and wait until the security zone is added successfully.</span><p><p id="mrs_01_1853__p1129819595215">The Ranger administrator can view all security zones on the <strong id="mrs_01_1853__b947272184715">Security Zone</strong> page and click <strong id="mrs_01_1853__b266814271475">Edit</strong> to modify the attributes of a security zone. If resources do not need to be managed in a security zone, the Ranger administrator can click <strong id="mrs_01_1853__b556163444717">Delete</strong> to delete the security zone.</p>
</p></li></ol>
</div>
<div class="section" id="mrs_01_1853__section2745154592116"><h4 class="sectiontitle">Configuring Permission Policies in a Security Zone</h4><ol id="mrs_01_1853__ol18441518103215"><li id="mrs_01_1853__li58441318173210"><span>Log in to the Ranger management page as the administrator of a security zone.</span></li><li id="mrs_01_1853__li268515311256"><span>Select a security zone from the <strong id="mrs_01_1853__b46218179556">Security Zone</strong> drop-down list in the upper right corner of the Ranger home page to switch to the permission view of the security zone.</span><p><p id="mrs_01_1853__p125522161283"><span><img id="mrs_01_1853__image79716130287" src="en-us_image_0000001295770300.png"></span></p>
</p></li><li id="mrs_01_1853__li57185284516"><span>Click the permission plug-in name of a component. The page for security access policy list of the component is displayed.</span><p><div class="note" id="mrs_01_1853__note3665101145213"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1853__p146661117522">In the policy list of each component, the default items generated by the system are automatically inherited to the security zone to ensure the permissions of some default users or user groups in the cluster.</p>
</div></div>
</p></li><li id="mrs_01_1853__li15584102711513"><span>Click <strong id="mrs_01_1853__b19986144735516">Add New Policy</strong> and configure resource access policies for related users or user groups based on the service scenario plan.</span><p><p id="mrs_01_1853__p96751032163411">In this example, a policy that allows user test to access the <strong id="mrs_01_1853__b15996161495">/testzone/test</strong> directory is configured in the security zone.</p>
<p id="mrs_01_1853__p399641112354"><span><img id="mrs_01_1853__image558215307399" src="en-us_image_0000001296090092.png"></span></p>
<p id="mrs_01_1853__p050313465117">The following access policies are examples for different components:</p>
<ul id="mrs_01_1853__ul79191810821"><li id="mrs_01_1853__li236015315414"><a href="mrs_01_1856.html">Adding a Ranger Access Permission Policy for HDFS</a></li><li id="mrs_01_1853__li99173811556"><a href="mrs_01_1857.html">Adding a Ranger Access Permission Policy for HBase</a></li><li id="mrs_01_1853__li2151131218553"><a href="mrs_01_1858.html">Adding a Ranger Access Permission Policy for Hive</a></li><li id="mrs_01_1853__li128531014195510"><a href="mrs_01_1859.html">Adding a Ranger Access Permission Policy for Yarn</a></li><li id="mrs_01_1853__li253818180552"><a href="mrs_01_1860.html">Adding a Ranger Access Permission Policy for Spark2x</a></li><li id="mrs_01_1853__li17240822105516"><a href="mrs_01_1861.html">Adding a Ranger Access Permission Policy for Kafka</a></li><li id="mrs_01_1853__li7177173065517"><a href="mrs_01_1863.html">Adding a Ranger Access Permission Policy for Storm</a></li></ul>
<p id="mrs_01_1853__p786310493212">After the policies are added, wait for about 30 seconds for them to take effect.</p>
<div class="note" id="mrs_01_1853__note97312517522"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="mrs_01_1853__ul203941213312"><li id="mrs_01_1853__li63945113113">Policies defined in a security zone apply only to resources in the zone. After service resources are allocated to the security zone, the access permission policies for the resources in the non-security zone do not take effect.</li><li id="mrs_01_1853__li7788689313">To configure access policies for resources outside the current security zone, click <strong id="mrs_01_1853__b18663153613166">Security Zone</strong> in the upper right corner of the Ranger homepage to exit the current security zone.</li></ul>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_1849.html">Using Ranger (MRS 3.x)</a></div>
</div>
</div>
View Git Blame Copy Permalink