Skip to content

Adding Tag using Rest API in Ranger

To add a tag using Rest API in Ranger, use the following steps:

  1. Create privacera_tags in the Ranger Tag Based Policy.

  2. Associate the privacera_tags to Hive service.

    vi atlas_tag_test.json
    
  3. Edit the JSON file shown below based on your specific table/tag information.

    {
      "op": "replace",
      "serviceName": "dublin_hive",
      "tagVersion": 0,
      "tagDefinitions": {
        "0": {
          "name": "TEST_TAG",
          "source": "Atlas",
          "attributeDefs": [],
          "id": 0,
          "isEnabled": true
        }
      },
      "tags": {
        "0": {
          "type": "TEST_TAG",
          "owner": 0,
          "attributes": {},
          "id": 0,
          "isEnabled": true
        }
      },
      "serviceResources": [
        {
          "serviceName": "dublin_hive",
          "resourceElements": {
            "database": {
              "values": [
                "db_name"
              ],
              "isExcludes": false,
              "isRecursive": false
            },
            "column": {
              "values": [
                "column_name"
              ],
              "isExcludes": false,
              "isRecursive": false
            },
            "table": {
              "values": [
                "table_name"
              ],
              "isExcludes": false,
              "isRecursive": false
            }
          },
          "id": 0,
          "isEnabled": true
        }
      ],
      "resourceToTagIds": {
        "0": [
          0
        ]
      }
    }
    

Update the following variables

  • serviceName

  • tagDefinitions[‘0’].name

  • tags[‘0’].type

  • serviceResources[0].serviceName

  • serviceResources[0].resourceElements[‘database’].values[0]

  • serviceResources[0].resourceElements[‘column’].values[0]

  • serviceResources[0].resourceElements[‘table’].values[0]

    curl -i -L -k -u admin:${RANGER_ADMIN_PASSWORD} \
    -H "Content-type: application/json" \
    -d @atlas_tag_test.json \
    -X PUT http://magenta1.privacera.me:6080/service/tags/importservicetags
    

Make sure the repo is created on Ranger for tags and Hive has the same tag service selected.

  1. Wait for a couple of mins and run ‘select * from Beeline’.

  2. Now, let’s check the Ranger audits.

Hive

  1. Create privacera_tags in the Ranger Tag Based Policy.

  2. Associate the privacera_tags to Hive service.

  3. Create a JSON file where you can add tags.

    vi hive_tag.json
    
  4. Edit the JSON file shown below based on your specific table/tag information.

    {
      "op": "add_or_update",
      "serviceName": "${Hive_Service_Name}",
      "tagVersion": 0,
      "tagDefinitions": {
        "0": {
          "name": "${Tag_Name}",
          "source": "Atlas",
          "attributeDefs": [],
          "id": 0,
          "isEnabled": true
        }
      },
      "tags": {
        "0": {
          "type": "${Tag_Type}",
          "owner": 0,
          "attributes": {},
          "id": 0,
          "isEnabled": true
        }
      },
      "serviceResources": [
        {
          "serviceName": "${Hive_Service_Name}",
          "resourceElements": {
            "database": {
              "values": [
                "${Database}"
              ],
              "isExcludes": false,
              "isRecursive": false
            },
            "table": {
              "values": [
                "${Table}"
              ],
              "isExcludes": false,
              "isRecursive": false
            },
            "column": {
              "values": [
                "${Column}"
              ],
              "isExcludes": false,
              "isRecursive": false
            }
          },
          "id": 0,
          "isEnabled": true
        }
      ],
      "resourceToTagIds": {
        "0": [
          0
        ]
      }
    }
    

    Sample hive_tag.json

    {
      "op": "add_or_update",
      "serviceName": "privacera_hive",
      "tagVersion": 0,
      "tagDefinitions": {
        "0": {
          "name": "SSN",
          "source": "Atlas",
          "attributeDefs": [],
          "id": 0,
          "isEnabled": true
        }
      },
      "tags": {
        "0": {
          "type": "SSN",
          "owner": 0,
          "attributes": {},
          "id": 0,
          "isEnabled": true
        }
      },
      "serviceResources": [
        {
          "serviceName": "privacera_hive",
          "resourceElements": {
            "database": {
              "values": [
                "finance"
              ],
              "isExcludes": false,
              "isRecursive": false
            },
            "table": {
              "values": [
                "ssn_finance_us"
              ],
              "isExcludes": false,
              "isRecursive": false
            },
            "column": {
              "values": [
                "SocialSecurity"
              ],
              "isExcludes": false,
              "isRecursive": false
            }
          },
          "id": 0,
          "isEnabled": true
        }
      ],
      "resourceToTagIds": {
        "0": [
          0
        ]
      }
    }
    
  5. Push the tag to Ranger.

Add Tag

curl -i -L -k -u admin:${RANGER_ADMIN_PASSWORD} -H "Content-type: application/json" -d @hive_tag.json -X PUT http://${RANGER_HOST}:6080/service/tags/importservicetags

Get Tagged Resource

curl -i -L -k -u admin:${RANGER_ADMIN_PASSWORD} -H "Content-type: application/json" -X GET http://${RANGER_HOST}.privacera.us:6080/service/tags/resources

S3

  1. Create privacera_tags in the Ranger Tag Based Policy

  2. Associate the privacera_tags to S3 Service.

  3. Create a JSON file where you can add tags.

    vi s3_tag.json
    
    {
      "op": "add_or_update",
      "serviceName": "${S3_Service_Name}",
      "tagVersion": 0,
      "tagDefinitions": {
        "0": {
          "name": "${Tag_Name}",
          "source": "Atlas",
          "attributeDefs": [],
          "id": 0,
          "isEnabled": true
        }
      },
      "tags": {
        "0": {
          "type": "${Tag_Type}",
          "owner": 0,
          "attributes": {},
          "id": 0,
          "isEnabled": true
        }
      },
      "serviceResources": [
        {
          "serviceName": "${S3_Service_Name}",
          "resourceElements": {
            "bucketname": {
              "values": [
                "${Bucket_Name}"
              ],
              "isExcludes": false,
              "isRecursive": false
            },
            "objectpath": {
              "values": [
                "${Resource_Path_Name}"
              ],
              "isExcludes": false,
              "isRecursive": false
            }
          },
          "id": 0,
          "isEnabled": true
        }
      ],
      "resourceToTagIds": {
        "0": [
          0
        ]
      }
    }
    

    Sample JSON:

    {
      "op": "add_or_update",
      "serviceName": "privacera_s3",
      "tagVersion": 0,
      "tagDefinitions": {
        "0": {
          "name": "SSN",
          "source": "Atlas",
          "attributeDefs": [],
          "id": 0,
          "isEnabled": true
        }
      },
      "tags": {
        "0": {
          "type": "SSN",
          "owner": 0,
          "attributes": {},
          "id": 0,
          "isEnabled": true
        }
      },
      "serviceResources": [
        {
          "serviceName": "privacera_s3",
          "resourceElements": {
            "bucketname": {
              "values": [
                "pscanzone"
              ],
              "isExcludes": false,
              "isRecursive": false
            },
            "objectpath": {
              "values": [
                "finance/finance_us.csv"
              ],
              "isExcludes": false,
              "isRecursive": false
            }
          },
          "id": 0,
          "isEnabled": true
        }
      ],
      "resourceToTagIds": {
        "0": [
          0
        ]
      }
    }
    
  4. Push the tag to Ranger.

    curl -i -L -k -u admin:welcome1 -H "Content-type: application/json" -d @s3_tag.json -X PUT http://${RANGER_HOST}.privacera.com:6080/service/tags/importservicetags
    

    Response:

    HTTP/1.1 204 No Content
    Set-Cookie: RANGERADMINSESSIONID=517FD2032481415D188C6925FA96E7E3; Path=/; HttpOnly
    X-Frame-Options: DENY
    X-XSS-Protection: 1; mode=block
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-Content-Type-Options: nosniff
    Content-Type: application/json
    Date: Sun, 08 Mar 2020 18:55:44 GMT
    Server: Apache Ranger
    

    To get the tagged resources list.

    curl -i -L -k -u admin:welcome1 -H "Content-type: application/json" -X GET http://${RANGER_HOST}.privacera.com:6080/service/tags/resources
    

    Response:

    [
      {
        "id": 5,
        "guid": "6b9234f1-69d9-40b0-9865-fe5bec45b469",
        "isEnabled": true,
        "createdBy": "Admin",
        "updatedBy": "Admin",
        "createTime": 1581570409000,
        "updateTime": 1581570409000,
        "version": 2,
        "serviceName": "privacera_hive",
        "resourceElements": {
          "database": {
            "values": [
              "sales"
            ],
            "isExcludes": false,
            "isRecursive": false
          },
          "column": {
            "values": [
              "name"
            ],
            "isExcludes": false,
            "isRecursive": false
          },
          "table": {
            "values": [
              "sales_data"
            ],
            "isExcludes": false,
            "isRecursive": false
          }
        },
        "resourceSignature": "82a4eb3e2148ee77686538a653dc6d8e027e9b3443b5b09494af6a38db815a64"
      },
      {
        "id": 7,
        "guid": "76ef1384-8432-4ed5-9778-c305bfb6d4c0",
        "isEnabled": true,
        "createdBy": "Admin",
        "updatedBy": "Admin",
        "createTime": 1583715849000,
        "updateTime": 1583715849000,
        "version": 2,
        "serviceName": "privacera_s3",
        "resourceElements": {
          "bucketname": {
            "values": [
              "pscanzone"
            ],
            "isExcludes": false,
            "isRecursive": false
          },
          "objectpath": {
            "values": [
              "finance/finance_us.csv"
            ],
            "isExcludes": false,
            "isRecursive": false
          }
        },
        "resourceSignature": "02d7ffe3fc9065ed63c935faec14268cc6f3823aa68b2b81a030e5c93cb60843"
      }
    ]
    

Test the Tag-Based Policies for S3 with the sample given above:

  1. Create user <kate> in EC2 and add permissions read, metaread, write, metawrite to the S3 bucket ${Bucket_Name} in privacera_s3 service.

  2. Create a deny tag-based policy for user <kate> - tag = SSN, Component = S3, permissions = read, write.

  3. Now try to access the ${Bucket_Name} with user <kate>.

  4. Denied audit is seen with ${SSN} tag in the audits.

REST API

Add Tag

curl -i -L -k -u admin:welcome1 \
-H "Content-type: application/json" \
-d @atlas_tag_test.json \
-X PUT http://${RANGER_HOST}:6080/service/tags/importservicetags

Get Tagged Resource

curl -i -L -k -u admin:welcome1 \
-H "Content-type: application/json" \
-X GET http://${RANGER_HOST}:6080/service/tags/resources

Delete Tagged Resource

curl -i -L -k -u admin:welcome1 \
-H "Content-type: application/json" \
-X GET http://${RANGER_HOST}:6080/service/tags/resources

Get ALL Tags

curl -i -L -k -u admin:welcome1 \
-H "Content-type: application/json" \
-X GET http://${RANGER_HOST}:6080/service/tags/tags

Get Tag by ID

curl -i -L -k -u admin:welcome1 \
-H "Content-type: application/json" \
-X GET http://${RANGER_HOST}:6080/service/tags/tag/{id}

List All Tagged Resources

curl -i -L -k -u admin:welcome1 
-H "Content-type: application/json" 
-X GET http://${RANGER_HOST}:6080/service/tags/resources

List Tag-Resource Mapping

curl -i -L -k -u admin:welcome1 
-H "Content-type: application/json" 
-X GET http://${RANGER_HOST}:6080/service/tags/tagresourcemaps

Get Tagged Resources By ResourceID

curl -i -L -k -u admin:welcome1 
-H "Content-type: application/json" 
-X GET http://${RANGER_HOST}:6080/service/tags/resource/${resourceId}