Ranger Authorization for Schema Registry

Accessing Schema Registry resources can be controlled through the Schema Registry Ranger plugin. The types of access control include:

  • CREATE
  • READ
  • UPDATE
  • DELETE

Similar to access control, users have access to the following types of resources:

  • SERDE: Used to represent Serializer/Deserializer resources.
  • SCHEMA_METADATA: Used to represent schema metadata resource.
  • SCHEMA_BRANCH: Used to represent schema branch resource.
  • SCHEMA_VERSION: Used to represent the schema version resource.
  • EXPORT_IMPORT: Used to represent permission to perform Export/Import.

Default Ranger Policies

Pre-defined access policies are created by default when the Schema Registry service is installed. These policies control:

  • Who can create/update any schema-metadata
  • Who can update schemas in any schema-metadata
  • Who can perform import/export operations
  • Who can use pluggable SERDE
Schema registry ranger default policies

Default policies include:

Policy Description
all - registry service This is a broader policy, whichever user is added in this policy can access all Schema Registry services.
all - serde This allows any user to store the jar files for a custom Serializer/Deserializer. This defines data format, how it must be read/written.
all - schema-group, schema-metadata This allows a user to create/update/delete/read access the schema metadata and the schema groups.
all - schema-group, schema-metadata, schema-branch This allows a user to create/update/delete/read access the schema metadata, the schema groups and also schema branch.
all - schema-group, schema-metadata, schema-branch, schema-version This allows a user to create/update/delete/read access the schema metadata, the schema groups, schema branch. Also, allows the user to create different versions of same schema.

Updating Default Policies

  1. Sign in to Ranger UI and navigate to the Schema Registry plugin.
  2. In the Actions column, click the edit icon.
  3. In the Allow conditions section, update the user or group to allow the access.
    Schema Registry Ranger default policies allow conditions
  4. Click Save.
    Schema Registry updating Ranger default policies

Creating Custom Policies

  1. Sign in to Ranger UI and navigate to the Schema Registry plugin.
  2. Click Add new policy.
    schema registry ranger create new policy
  3. Enter a valid policy label.
  4. Select Schema Registry Entity, and then select Schema Registry service, group or serde. Optionally enter * to allow the user or group all access controls.
  5. Under Allow conditions section, add the user or group to allow access.
  6. Click Save.
    Schema Registry Ranger new custom policies example