Data access control

更新时间:
复制 MD 格式

Ranger is a security component of Lindorm that manages data access permissions for multiple users. This topic describes how to configure these permissions using the Ranger service page and SQL commands, which simplifies access control and improves data security and efficiency.

Prerequisites

Enable Ranger

Note

To use Ranger, contact Lindorm technical support (DingTalk ID: s0s3eg3) to enable it.

  1. Log on to the Lindorm console.

  2. In the upper-left corner of the page, select the region where the instance is deployed.

  3. On the Instances page, click the ID of the target instance or click View Instance Details in the Actions column for the instance.

  4. In the left-side navigation pane, click Database Connection.

  5. Click the Compute Engine tab and then click Enable Ranger URL.

Procedure

Ranger service page

Log on to Ranger

  1. On the Compute Engine tab, obtain the Ranger URL and click the URL to open the Ranger service page.

    The Ranger Address section provides two types of access addresses, virtual private cloud (VPC) and public network, which are HTTP addresses on port 6080.

  2. Log on to the Ranger service with the username and password for the Lindorm wide table engine.

Use Ranger

In Ranger, you configure permission policies to grant access based on resource requirements. User information is synchronized from the Lindorm wide table engine. The following sections describe the permission policy model and how to create a permission policy.

Ranger policy model

A Ranger policy model consists of two main parts:

  • The policy's target resources, such as Hive databases, tables, and columns.

  • The access permissions for specific users, user groups, or roles.

The following diagram shows how policies are evaluated when a data query is requested:

image
Important

The root user is a system administrator with the highest system permissions. This user is not subject to the process described above.

Create a permission policy

  1. On the home page, click ldps_service to go to the permissions list page.

    On the permissions list page, the Access tab is displayed by default. The top of the page also includes the Masking and Row Level Filter tabs. In the middle of the page, a search box and an Add New Policy button are provided. The policy list below shows the existing default policies and their statuses.

  2. Ranger includes several default permission policies. You can ignore them and click Add New Policy to open the policy creation page.

    Important
    • Ranger includes a default user group named public, which represents all users.

    • By default, several permission policies grant initial permissions. For example, the public user group has permissions to create databases and create tables in the default database. You can delete or disable these default policies so that only your newly created policies take effect.

  3. The policy creation page has four main sections: policy details, resources, allow conditions, and deny conditions. Configure the settings as follows:

    • Policy Details: Add a policy name, label, and description. You can also enable or disable the policy, set it to override other policies, and define its validity period.

    • Resources: Add the resources to which you want to grant permissions, such as a database, table, or column. To add a permission policy that involves multiple databases, click +Add Resource to add more resources.

      To the right of each resource level, you can toggle the Include/Exclude switch to apply an inclusion or exclusion rule for the selected resource.

    • Allow Conditions:

      ① Grant permissions on the specified resources to specific users, user groups, or roles.

      Procedure: In the drop-down lists of the Select Roles, Select Groups, and Select User fields, select the desired roles, user groups, or users. Then, click Add Permissions and select the permissions that you want to grant.

      ② Configure exceptions to the allow conditions (Exclude from Allow Conditions). For example, you have a user group named sales_group that contains user1 and user2. You have granted the sales_group all permissions on the products database. However, for security reasons, you do not want user2 to have the permission to delete the products database. In this case, under Exclude from Allow Conditions, select user2 in the Select User field, click Add Permissions, and then select Drop.

      Important

      In Ranger, permission policies are resource-specific (database, table, or column). If a new policy's resources overlap with an existing one, Ranger reports an error. In this case, you can edit the conflicting policy and click the image icon in the allow conditions section to add the new user and their permissions.

    • Deny Conditions:

      Note

      Setting Deny All Other Accesses to True denies all other access.

      ① Deny permissions for specific users, user groups, or roles.

      Procedure: In the drop-down lists of the Select Roles, Select Groups, and Select User fields, select the desired roles, user groups, or users. Then, click Add Permissions and select the permissions that you want to deny.

      ② Configure exceptions to the deny conditions (Exclude from Deny Conditions). You can specify users, user groups, or roles to be exempted from the deny rule. For example, you have denied all permissions on the customer table to the sales_group user group but want to allow user1 from that group to query the customer table. In this case, select user1 in the Select User field, click Add Permissions, and then select Select. You must also grant user1 the Select permission on the customer table in the Allow Conditions section of a policy. Then, user1 can query the customer table.

  4. At the bottom of the page, click Save to create the new policy. After the policy is saved, it takes effect immediately.

SQL

The Lindorm compute engine implements Data Control Language (DCL) by controlling Ranger permission policies. You can also connect to the Lindorm compute engine by using Beeline and then use SQL to perform permission operations.

GRANT

Grants privileges at the global, database, table, and column levels. The privileges (ALL, READ, WRITE, and TRASH) have the same meanings as in Lindorm SQL. For more information, see GRANT.

Syntax

grant_permission_statement ::=  GRANT privilege_definition ON resource_definition TO user_identifier 
privilege_definition       ::=  ALL | READ | WRITE | ADMIN | TRASH
resource_definition        ::=  GLOBAL | DATABASE db_identifier | SCHEMA db_identifier | TABLE db_identifier.table_identifier | TABLE db_identifier.table_identifier '('col_identifier (, col_identifier)*')'
Note
  • Only the root user can execute the GRANT command.

  • Unlike the standard GRANT, the ADMIN privilege in the Lindorm compute engine does not grant full administrator status. Instead, it grants only the permission to create databases or tables.

  • Column-level privileges support only READ, WRITE, and ALL.

Examples

  • Grant the global read privilege to user1.

    GRANT READ ON GLOBAL TO user1;
  • Grant all privileges on database db1 to user2.

    GRANT ALL ON DATABASE db1 TO user2;
    -- or
    GRANT ALL ON SCHEMA db1 TO user2;
  • Grant the write privilege on table table1 in database db2 to user3.

    GRANT WRITE ON TABLE db2.table1 TO user3;
  • Grant the read privilege on columns col1 and col2 of table table2 in database db2 to user4.

    GRANT READ ON TABLE db2.table2(col1, col2) TO user4;

REVOKE

Revokes privileges at the global, database, table, and column levels.

Syntax

revoke_permission_statement ::=  REVOKE privilege_definition ON resource_definition FROM user_identifier 
privilege_definition       ::=  ALL | READ | WRITE | ADMIN | TRASH
resource_definition        ::=  GLOBAL | DATABASE db_identifier | SCHEMA db_identifier | TABLE db_identifier.table_identifier | TABLE db_identifier.table_identifier '('col_identifier (, col_identifier)*')'
Note

Only the root user can execute the REVOKE command.

Examples

  • Revoke the global read privilege from user1.

    REVOKE READ ON GLOBAL FROM user1;
  • Revoke all privileges on database db1 from user2.

    REVOKE ALL ON DATABASE db1 FROM user2;
    -- or
    REVOKE ALL ON SCHEMA db1 FROM user2;
  • Revoke the write privilege on table table1 in database db2 from user3.

    REVOKE WRITE ON TABLE db2.table1 FROM user3;
  • Revoke the read privilege on column col1 of table table2 in database db2 from user4.

    REVOKE READ ON TABLE db2.table2(col1) FROM user4;

SHOW PRIVILEGES

Displays the privileges for all users.

Syntax

show_privileges_statement ::=  SHOW PRIVILEGES
Note

Only the root user can execute the SHOW PRIVILEGES command.

Example

Display the privileges of all users.

SHOW PRIVILEGES;

SHOW USERS

Displays all usernames.

Syntax

show_users_statement ::=  SHOW USERS

Example

SHOW USERS;