ATLAS-2718: Documentation for Atlas Ranger authorization

docs/src/site/twiki/Atlas-Authorization-Model.twiki

@@ -100,7 +100,7 @@ atlas.authorizer.impl=ranger
 </verbatim>
 
 Apache Ranger Authorizer requires configuration files to be setup, for example to specify Apache Ranger admin server URL,
-name of the service containing authorization policies, etc. For more details on this, please refer to Apache Ranger documentation.
+name of the service containing authorization policies, etc. For more details please see, [[Atlas-Authorization-Ranger-Authorizer][Setting up Atlas to use Ranger Authorizer]].
 
 
 ---+++  None authorizer

docs/src/site/twiki/Atlas-Authorization-Ranger-Authorizer.twiki

+---+++ Setting up Apache Atlas to use Apache Ranger Authorization
+
+As detailed in [[Atlas-Authorization-Model][Atlas Authorization Model]], Apache Atlas supports pluggable authorization
+model. Apache Ranger provides an authorizer implementation that uses Apache Ranger policies for authorization. In
+addition, the authorizer provided by Apache Ranger audits all authorizations into a central audit store.
+
+---++++  Configure Apache Atlas
+To configure Apache Atlas to use Apache Ranger authorizer, please follow the instructions given below:
+
+   * Include the following property in atlas-application.properties config file:
+   <verbatim>atlas.authorizer.impl=ranger</verbatim>
+
+   If you use Apache Ambari to deploy Apache Atlas and Apache Ranger, enable Atlas plugin in configuration pages for
+   Apache Ranger.
+
+   * Include libraries of Apache Ranger plugin in libext directory of Apache Atlas
+      * =<Atlas installation directory>=/libext/ranger-atlas-plugin-impl/
+      * =<Atlas installation directory>=/libext/ranger-atlas-plugin-shim-<version>.jar
+      * =<Atlas installation directory>=/libext/ranger-plugin-classloader-<version>.jar
+
+   * Include configuration files for Apache Ranger plugin in configuration directory of Apache Atlas - typically under /etc/atlas/conf directory. For more details on configuration file contents, please refer to appropriate documentation in Apache Ranger.
+      * =<Atlas configuration directory>=/ranger-atlas-audit.xml
+      * =<Atlas configuration directory>=/ranger-atlas-security.xml
+      * =<Atlas configuration directory>=/ranger-policymgr-ssl.xml
+      * =<Atlas configuration directory>=/ranger-security.xml
+
+
+---++++  Apache Ranger authorization policy model for Apache Atlas
+
+Apache Ranger authorization policy model for Apache Atlas supports 3 resource hierarchies, to control access to: types,
+entities and admin operations. Following images show various details of each type of policy in Apache Ranger.
+
+   * *Types*
+
+Following authorization policy allows user 'admin' to create/update/delete any classification type.
+<p></p>
+<img alt="Apache Ranger policy for type operations" src="images/twiki/ranger-policy-types.png" width="800" style="border:1px solid black; margin-left:20px"></img>
+
+-------
+
+   * *Entity*
+
+Following authorization policy allows user 'admin' perform all operations on metadata entities of Hive database named "my_db".
+<p></p>
+<img alt="Apache Ranger policy for entity operations" src="images/twiki/ranger-policy-entities.png" width="800" style="border:1px solid black; margin-left:20px"></img>
+
+-------
+
+   * *Admin Operations*
+Following authorization policy allows user 'admin' to perform export/import admin operations.
+<p></p>
+<img alt="Apache Ranger policy for admin operations" src="images/twiki/ranger-policy-admin.png" width="800" style="border:1px solid black; margin-left:20px"></img>
+
+
+-------
+
+---++++  Apache Ranger access audit for Apache Atlas authorizations
+Apache Ranger authorization plugin generates audit logs with details of the access authorized by the plugin. The details
+include the object accessed (eg. hive_table with ID cost_savings.claim_savings@cl1), type of access performed (eg.
+entity-add-classification, entity-remove-classification), name of the user, time of access and the IP address the access
+request came from - as shown in the following image.
+
+<img alt="Apache Ranger audit " src="images/twiki/ranger-audit.png" width="1000" style="border:1px solid black; margin-left:20px"></img>

docs/src/site/twiki/Atlas-Authorization-Simple-Authorizer.twiki

@@ -93,7 +93,7 @@ Simple authorizer supports Java reg-ex to specify values for privilege/entity-ty
 
 </verbatim>
 
----+++++  Assign Roles to Users and User Grips
+---+++++  Assign Roles to Users and User Groups
 
 Roles defined above can be assigned (granted) to users as shown below:
 

docs/src/site/twiki/index.twiki

@@ -58,7 +58,8 @@ capabilities around these data assets for data scientists, analysts and the data
    * [[security][Security]]
    * [[Atlas-Authentication][Authentication]]
    * [[Atlas-Authorization-Model][Atlas Authorization Model]]
-      * [[Configure-simple-authorizer][Steps to configure Atlas Simple Authorizer]]
+      * [[Atlas-Authorization-Simple-Authorizer][Steps to configure Atlas Simple Authorizer]]
+      * [[Atlas-Authorization-Ranger-Authorizer][Steps to configure Atlas Ranger Authorizer]]
    * [[ClassificationPropagation][Classification Propagation]]
    * [[Configuration][Configuration]]
    * [[Notifications][Notifications]]