All of the Ranger configurations for Arcadia are done via Ambari within the Arcadia configuration page, and also the Apache Ranger portal:
- Enable “Enable Apache Ranger Support”
- Make sure “Proxy User Config” is set to arcadia=*
- Edit the Hive policy configuration properties
- Add user ‘arcadia’ to the Hive policy download/sync user lists
The “arcadia” user should be added to the following Hive policy configurations
tag.download.auth.users policy.dowload.auth.users policy.grantrevoke.auth.users ambari.service.check.user
NOTE: Make sure you do NOT HAVE any spaces between hive & arcadia users when you update these configurations.
hive,arcadia --- OK hive, arcadia --- NOT OK
- Open the policy rules for Hive
- Add “arcadia” user to the appropriate Hive ACL rule(s) so Arcadia can access all databases, tables, columns, udfs, etc.
- Open the policy rules for HDFS
- Add “arcadia” user to the appropriate HDFS ACL rule so Arcadia can access all data directory paths
Enable User Impersonation from Arcadia UI
Checking the “Impersonation” option inside your Arcadia Connection will enable an Arcadia Analytics Engine flag for delegation / impersonation when executing queries from the Arcadia Visualization Server so that users can only access the databases, tables, etc. that they’ve been designated to according to the Hive and HDFS policies: