This is to introduce a new abstraction in Apache Ranger that would allow carving/bucketing of resources in a service into multiple zones, for better administration of security policies. This would enable multiple administrators to setup security policies for a service – based on the zones to which they have been granted administration rights.
For example, let us consider 2 security zones ‘finance’ and ‘sales’:
- Security zone ‘finance’ includes all contents in Hive database named ‘finance’
- Security zone ‘sales’ includes all contents in ‘sales’ database
- Set of users and groups are designated as administrators each zone
- Users are allowed to setup policies only in zones in which they are administrators
- Policies defined in a zone are applicable only for resources of the zone
- A zone can be extended to include resource from multiple services like HDFS, Hive, HBase, Kafka, .., allowing administrators of a zone to setup policies for resources owned by their organization across multiple services.
- Audit logs will include name of the zone in which the accessed resource resides. Only users having appropriate permissions on the security zone can view its audit logs.
Attached document has more details on various aspects of Security Zones.