Providing Authorization with Apache Ranger
Also available as:
loading table of contents...

Create a Time-bound Policy

Where Ranger policies used to be permanent once authored, you can now create a time-bound policy. This enables you to configure a policy to be effective for a specified time range. You can add a validity period to resource- and tag-based policies.

For example, you may want to create a time-bound policy for:
  • Financial information about earnings that is sensitive and restricted only until the earnings release date.
  • Block a certain user for a specific time period (e.g., a compromised user account being investigated needs to be put on "hold" from accessing resources in Hadoop services).
  • Block a certain group for a specific time (e.g., excluding temporary employees from writing on resources during the holiday season).
  1. From Ranger, click on Access Manager > Resource Based Policies | Tag Based Policies > <select the service> > Add New Policy

  2. On the Create Policy page, fill out the required fields.
  3. Click Add Validity Period.
  4. In the Policy Validity Period dialog, specify the Start Time, End Time, and Time Zone.

    Policy Validity Period Example
  5. Optional: You can select the Override option if you want this policy to take precedence over all other policies during its validity period.
    A decision from an 'override policy' will stop further evaluation of policies.
  6. Click Add.