forked from BROADSoftware/ranger_modules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ranger_hdfs_policies.txt
119 lines (94 loc) · 3.97 KB
/
ranger_hdfs_policies.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
> RANGER_HDFS_POLICIES
This module will allow you to manage HDFS policy in Apache Ranger. Please refer to Apache Ranger documentation for
authorization policy concept and usage.
OPTIONS (= is mandatory):
= admin_password
The password associated with the admin_username
[Default: None]
= admin_url
The Ranger base URL to access Ranger API. Same host:port as the Ranger Admin GUI. Typically
http://myranger.server.com:6080 or https://myranger.server.com:6182
[Default: None]
= admin_username
The user name to log on the Ranger Admin. Must have enough rights to manage policies.
Also accepts the special value `KERBEROS'. In such case, a valid Kerberos ticket must exist for the ansible_user account
on the target system. (A `kinit' must be issued under this account). Then HDFS operation will be performed on behalf of
the user defined by the Kerberos ticket.
[Default: None]
- ca_bundle_file
Useful if Ranger Admin connection is using SSL. Allow to specify a CA_BUNDLE file, a file that contains root and
intermediate certificates to validate the Ranger Admin certificate.
In its simplest case, it could be a file containing the server certificate in .pem format.
This file will be looked up on the remote system, on which this module will be executed.
[Default: None]
= policies
The list of policies you want to be defined by this operation.
[Default: None]
- policies[0..n].audit
Whether this policy is audited
[Default: True]
- policies[0..n].enabled
Whether this policy is enabled.
[Default: True]
= policies[0..n].name
The name of the policy. Must be unique across the system.
[Default: None]
= policies[0..n].paths
A list of HDFS path this policy will apply on. Accept wildcard characters '*' and '?'
[Default: None]
= policies[0..n].permissions
A list of permissions associated to this policy
[Default: None]
= policies[0..n].permissions[0..n].accesses
A list of access right granted by this permission.
[Default: None]
- policies[0..n].permissions[0..n].delegate_admin
When a policy is assigned to a user or a group of users those users become the delegated admin. The delegated admin can
update, delete the policies.
[Default: False]
- policies[0..n].permissions[0..n].groups
A list of groups this permission will apply on.
[Default: None]
- policies[0..n].permissions[0..n].users
A list of users this permission will apply on.
[Default: None]
- policies[0..n].recursive
Whether this policy is recursive
[Default: True]
- service_name
In most cases, you should not need to set this parameter. It define the Ranger Admin HDFS service, typically
<yourClusterName>_hadoop.
It must be set if there are several such services defined in your Ranger Admin configuration, to select the one you
intend to use.
[Default: None]
- state
Whether to install (present) or remove (absent) these policies
(Choices: present, absent)[Default: present]
- validate_certs
Useful if Ranger Admin connection is using SSL. If no, SSL certificates will not be validated. This should only be used
on personally controlled sites using self-signed certificates.
[Default: True]
AUTHOR: Serge ALEXANDRE
EXAMPLES:
# Grant full rights for user 'coxi' on folders '/apps/coxi01' and '/user/coxi01', in a recursive way
- hosts: edge_node1
roles:
- ranger_modules
tasks:
- ranger_hdfs_policies:
state: present
admin_url: http://ranger.mycompany.com:6080
admin_username: admin
admin_password: admin
policies:
- name: "coxi01"
paths:
- "/apps/coxi01"
- "/user/coxi01"
permissions:
- users:
- coxi
accesses:
- Write
- read
- execute