hive_ranger_policies

Synopsis

Allow definition of a list of Apache Ranger policies for setting Hive permissions

Attributes

Each item of the list has the following attributes:

Name req? Description
name yes The policy name. Will be decorated to mark it as managed by HADeploy, as described in ranger_relay.
databases yes A list of Hive databases on which this policy will apply. Accept wildcard characters '*' and '?'.
tables no A list of HBase tables on which this policy will apply. Accept wildcard characters '*' and '?'.
If defined, udfsattribute must be not..
Default: "*"
columns no A list of columns on which the policy will apply.
Default: "*"
udfs no A list of UDF (User Defined Function) this policy will apply on.. Accept wildcard characters '*' and '?'.
If defined, tableand columns attribute must be not.
audit no Did this policy is audited by Ranger.
Default: yes
enabled no Allow this policy to be disabled.
Default: yes
no_remove False Boolean: Prevent this policy to be removed when HADeploy will be used in REMOVE mode.
Default: no
permissions yes A list of permissions defining rights granted by this policy. See below
when no Boolean. Allow conditional deployment of this item.
Default True

permissions

Each item of the permission list has the following attributes:

Name req? Description
users yes if groups is undefined A list of users this policy will apply on. May be empty if some groups are defined.
groups yes if users is undefined A list of groups this policy will apply on. May be empty if some users are defined.
accesses yes The list of rights granted by this policy. May include select, update, create, drop, alter, index, lock and all.
delegate_admin no When a policy is assigned to a user or a group of users those users become the delegated admin. The delegated admin can update and delete the policies.
Default: no

Examples

hive_ranger_policies:
- name: mktDbRule
  databases: 
  - dbmarketing
  tables: 
  - "*"
  permissions:
    - groups:
      - users
      accesses: 
      - select
      - update
    - users:
      - admin
      accesses:
      - all
      delegate_admin: yes