Ranger Authorization for Schema Registry
Accessing Schema Registry resources can be controlled through the Schema Registry Ranger plugin. The types of access control include:
CREATE
READ
UPDATE
DELETE
Similar to access control, users have access to the following types of resources:
SERDE
: Used to represent Serializer/Deserializer resources.SCHEMA_METADATA
: Used to represent schema metadata resource.SCHEMA_BRANCH
: Used to represent schema branch resource.SCHEMA_VERSION
: Used to represent the schema version resource.EXPORT_IMPORT
: Used to represent permission to perform Export/Import.
Default Ranger Policies
Pre-defined access policies are created by default when the Schema Registry service is installed. These policies control:
- Who can create/update any schema-metadata
- Who can update schemas in any schema-metadata
- Who can perform import/export operations
- Who can use pluggable
SERDE
Default policies include:
Policy | Description |
---|---|
all - registry service |
This is a broader policy, whichever user is added in this policy can access all Schema Registry services. |
all - serde |
This allows any user to store the jar files for a custom Serializer/Deserializer. This defines data format, how it must be read/written. |
all - schema-group, schema-metadata |
This allows a user to create/update/delete/read access the schema metadata and the schema groups. |
all - schema-group, schema-metadata, schema-branch |
This allows a user to create/update/delete/read access the schema metadata, the schema groups and also schema branch. |
all - schema-group, schema-metadata, schema-branch, schema-version |
This allows a user to create/update/delete/read access the schema metadata, the schema groups, schema branch. Also, allows the user to create different versions of same schema. |