-
Notifications
You must be signed in to change notification settings - Fork 11
/
ranger_yarn_policies.txt
131 lines (107 loc) · 4.42 KB
/
ranger_yarn_policies.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
> RANGER_YARN_POLICIES
This module will allow you to manage Yarn policy in Apache Ranger. Please refer to Apache Ranger documentation for
authorization policy concept and usage.
OPTIONS (= is mandatory):
= admin_password
The password associated with the admin_username
[Default: None]
= admin_url
The Ranger base URL to access Ranger API. Same host:port as the Ranger Admin GUI. Typically
http://myranger.server.com:6080 or https://myranger.server.com:6182
[Default: None]
= admin_username
The user name to log on the Ranger Admin. Must have enough rights to manage policies.
Also accepts the special value `KERBEROS'. In such case, a valid Kerberos ticket must exist for the ansible_user account
on the target system. (A `kinit' must be issued under this account). Then HDFS operation will be performed on behalf of
the user defined by the Kerberos ticket.
[Default: None]
- ca_bundle_file
Useful if Ranger Admin connection is using SSL. Allow to specify a CA_BUNDLE file, a file that contains root and
intermediate certificates to validate the Ranger Admin certificate.
In its simplest case, it could be a file containing the server certificate in .pem format.
This file will be looked up on the remote system, on which this module will be executed.
[Default: None]
= policies
The list of policies you want to be defined by this operation.
[Default: None]
- policies[0..n].audit
Whether this policy is audited
[Default: True]
- policies[0..n].enabled
Whether this policy is enabled.
[Default: True]
= policies[0..n].name
The name of the policy. Must be unique across the system.
[Default: None]
= policies[0..n].permissions
A list of permissions associated to this policy
[Default: None]
= policies[0..n].permissions[0..n].accesses
A list of access right granted by this permission.
[Default: None]
- policies[0..n].permissions[0..n].delegate_admin
When a policy is assigned to a user or a group of users those users become the delegated admin. The delegated admin can
update, delete the policies.
[Default: False]
- policies[0..n].permissions[0..n].groups
A list of groups this permission will apply on.
[Default: None]
- policies[0..n].permissions[0..n].users
A list of users this permission will apply on.
[Default: None]
= policies[0..n].queues
A list of Yarn queues this policy will apply on. Accept wildcard characters '*' and '?'
[Default: None]
- policies[0..n].recursive
Whether this policy is recursive
[Default: True]
- service_name
In most cases, you should not need to set this parameter. It define the Ranger Admin Yarn service, typically
<yourClusterName>_yarn.
It must be set if there are several such services defined in your Ranger Admin configuration, to select the one you
intend to use.
[Default: None]
- state
Whether to install (present) or remove (absent) these policies
(Choices: present, absent)[Default: present]
- validate_certs
Useful if Ranger Admin connection is using SSL. If no, SSL certificates will not be validated. This should only be used
on personally controlled sites using self-signed certificates.
[Default: True]
AUTHOR: Serge ALEXANDRE
EXAMPLES:
# This playbook snippet will:
# - Allow all members of group 'users' to submit jobs on queue 'sales'.
# - Grant admin rights fir user 'admin' on the same queue.
#
# Note also how we handle Certificate bundle, by first copying it on the remote site.
#
- hosts: edge_node1
roles:
- ranger_modules
tasks:
- name: Copy ca_bundle
copy: src=../rangersrv_cert.pem dest=/etc/security/rangersrc_cert.pem owner=root mode=0400
- name: Apply ranger Yarn policy
ranger_yarn_policies:
state: present
admin_url: https://ranger.mycompany.com:6182
admin_username: admin
admin_password: admin
validate_certs: yes
ca_bundle_file: /etc/security/rangersrv_cert.pem
policies:
- name: "testyarn2"
queues:
- sales
permissions:
- groups:
- users
accesses:
- submit-app
- users:
- admin
accesses:
- submit-app
- admin-queue
delegate_admin: true