Ranger policies

Ranger security support for Db2® Big SQL supports both resource- and tag-based policies.

Policies that are defined in the Db2 Big SQL Ranger plugin provide access control rules for native Db2 tables, views, and nicknames. Db2 Big SQL obeys policies that are defined in the Hadoop SQL (Hive) plugin or the HBase plugin when performing access control for Hadoop or HBase tables, respectively.

Resource based policies

A resource-based policy enables a security administrator to grant permissions on a database object or on a set of database objects to users and groups. A resource-based policy that is created within the Db2 Big SQL plugin applies only to authorization checks that are performed by the Db2 Big SQL service against native Db2 objects.

To work with resource-based policies in the Ranger UI, complete the following steps:
  1. Click Resource Based Policies on the Access Manager tab.
  2. Select the plugin name under the Big SQL service.
  3. Select a policy from the list of existing policies. In the Action column, there are buttons to view, edit, or delete a policy. To create a policy, click Add New Policy.
Follow a similar process to work with resource-based policies in the Hadoop SQL (Hive) and HBase plugins.

Tag-based policies

A tag-based policy enables a security administrator to grant permissions to tags (or classifications) that are defined in a governance service such as Apache Atlas. To create a tag-based policy for Db2 Big SQL objects, configure Ranger TagSync to synchronize the Ranger tag store with Atlas. For instructions on how to configure Ranger TagSync, see the CDP documentation. In Apache Atlas, tags are known as classifications, and you can assign one classification to multiple Atlas entities. For example, to create a classification and assign it to a Db2 Big SQL table, complete the following steps:
  1. In the Atlas UI, click the CLASSIFICATION tab and then the + button.
  2. In the window that opens, assign a name to the new classification and optionally add a description and attributes.
  3. In the SEARCH tab, search for hive_table or hbase_table entities.
    Note: Native Db2 Big SQL database objects will not appear as entities in Atlas, and tag-based policies cannot be defined on them at this time.
  4. Click the + button in the Classification column and select the classification that is to be assigned to the table entity.
  5. Repeat this process to assign a classification to multiple entities, or to create additional classifications.
If Ranger TagSync is properly configured, the new classifications are synchronized to Ranger automatically.
To create a tag-based policy in the Ranger UI, complete the following steps:
  1. Click Tag Based Policies on the Access Manager tab.
  2. Click the + symbol to create a tag service.
  3. Assign a name for the new tag service.
  4. On the Resource Based Policies page, add the new tag service to the resource policy service. Click the Edit button beside the service for which the tag-based policy will be defined.
  5. Select the tag service that you created in Step 2 and save the change.
  6. On the Tag Based Policies page, you can click on the tag service to create, view, edit, or delete tag-based policies. The process of creating a tag-based policy is very similar to creating a resource-based policy, except that permissions (for example, select, update, delete, insert, create, drop, alter, index, or analyze) are granted at the component level (for example, bigsql). Tag-based policies enable permissions to be granted on objects at a level of abstraction that is one step beyond tables and schemas.