Ranger Authorization for Schema Registry
Accessing Schema Registry resources can be controlled through the Schema Registry Ranger plugin. The types of access control include:
CREATEREADUPDATEDELETE
Similar to access control, users have access to the following types of resources:
SERDE: Used to represent Serializer/Deserializer resources.SCHEMA_METADATA: Used to represent schema metadata resource.SCHEMA_BRANCH: Used to represent schema branch resource.SCHEMA_VERSION: Used to represent the schema version resource.EXPORT_IMPORT: Used to represent permission to perform Export/Import.
Default Ranger Policies
Pre-defined access policies are created by default when the Schema Registry service is installed. These policies control:
- Who can create/update any schema-metadata
- Who can update schemas in any schema-metadata
- Who can perform import/export operations
- Who can use pluggable
SERDE
Default policies include:
| Policy | Description |
|---|---|
all - registry service |
This is a broader policy, whichever user is added in this policy can access all Schema Registry services. |
all - serde |
This allows any user to store the jar files for a custom Serializer/Deserializer. This defines data format, how it must be read/written. |
all - schema-group, schema-metadata |
This allows a user to create/update/delete/read access the schema metadata and the schema groups. |
all - schema-group, schema-metadata, schema-branch |
This allows a user to create/update/delete/read access the schema metadata, the schema groups and also schema branch. |
all - schema-group, schema-metadata, schema-branch, schema-version |
This allows a user to create/update/delete/read access the schema metadata, the schema groups, schema branch. Also, allows the user to create different versions of same schema. |
Updating Default Policies
-
In the Allow conditions section, update the user or group to allow the access.
-
Click Save.
Creating Custom Policies
-
Click Add new policy.
-
Click Save.
