Ranger Authorization for Schema Registry
Accessing Schema Registry resources can be controlled through the Schema Registry Ranger plugin. The types of access control include:
-
CREATE -
READ -
UPDATE -
DELETE
Similar to access control, users have access to the following types of resources:
-
SERDE: Used to represent Serializer/Deserializer resources. -
SCHEMA_METADATA: Used to represent schema metadata resource. -
SCHEMA_BRANCH: Used to represent schema branch resource. -
SCHEMA_VERSION: Used to represent the schema version resource. -
EXPORT_IMPORT: Used to represent permission to perform Export/Import.
Default Ranger Policies
Pre-defined access policies are created by default when the Schema Registry service is installed. These policies control:
- Who can create/update any schema-metadata
- Who can update schemas in any schema-metadata
- Who can perform import/export operations
- Who can use pluggable
SERDE
Default policies include:
| Policy | Description |
|---|---|
all - registry service
|
This is a broader policy, whichever user is added in this policy can access all Schema Registry services. |
all - serde
|
This allows any user to store the jar files for a custom Serializer/Deserializer. This defines data format, how it must be read/written. |
all - schema-group, schema-metadata
|
This allows a user to create/update/delete/read access the schema metadata and the schema groups. |
all - schema-group, schema-metadata, schema-branch
|
This allows a user to create/update/delete/read access the schema metadata, the schema groups and also schema branch. |
all - schema-group, schema-metadata, schema-branch, schema-version
|
This allows a user to create/update/delete/read access the schema metadata, the schema groups, schema branch. Also, allows the user to create different versions of same schema. |
Updating Default Policies
-
In the Allow conditions section, update the user or group to allow the access.
-
Select Save.
Creating Custom Policies
-
Select Add new policy.
-
Select Save.
