Merge pull request #268354 from abhishjain002/patch-1

Update ranger-policies-for-spark.md

Author: ttorble

articles/hdinsight/spark/media/ranger-policies-for-spark/add-new-user-ranger-lookup.png

@@ -3,7 +3,7 @@ title: Configure Apache Ranger policies for Spark SQL in HDInsight with Enterpri
 description: This article describes how to configure Ranger policies for Spark SQL with Enterprise Security Package.
 ms.service: hdinsight-aks
 ms.topic: how-to
-ms.date: 02/12/2024
+ms.date: 03/07/2024
 ---
 
 # Configure Apache Ranger policies for Spark SQL in HDInsight with Enterprise Security Package
@@ -32,7 +32,7 @@ In this article, you learn how to:
 
 ## Create domain users
 
-For information on how to create **sparkuser** domain users, see [Create an HDInsight cluster with ESP](../domain-joined/apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp). In a production scenario, domain users come from your Microsoft Entra tenant.
+For information on how to create `sparkuser` domain users, see [Create an HDInsight cluster with ESP](../domain-joined/apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp). In a production scenario, domain users come from your Microsoft Entra tenant.
 
 ## Create a Ranger policy
 
@@ -61,7 +61,7 @@ In this section, you create two Ranger policies:
    | database | default |
    | table | hivesampletable |
    | column | * |
-   | Select User | sparkuser |  
+   | Select User | `sparkuser` |  
    | Permissions | select |
 
    :::image type="content" source="./media/ranger-policies-for-spark/sample-policy-details.png" alt-text="Screenshot that shows sample details for an access policy." lightbox="./media/ranger-policies-for-spark/sample-policy-details.png":::
@@ -101,7 +101,7 @@ The following example shows how to create a policy to mask a column:
    |Hive Database|default|
    |Hive Table| hivesampletable|
    |Hive Column|devicemake|
-   |Select User|sparkuser|
+   |Select User|`sparkuser`|
    |Access Types|select|
    |Select Masking Option|Hash|
 
@@ -145,7 +145,7 @@ Consider these points:
   In such cases, we recommend that you either:
 
   - Use the Hive catalog for both Hive and Spark.
-  - Maintain different database, table, and column names for both Hive and Spark catalogs so that the policies are not applied to databases across catalogs.
+  - Maintain different database, table, and column names for both Hive and Spark catalogs so that the policies aren't applied to databases across catalogs.
 
 - If you use the Hive catalog for both Hive and Spark, consider the following example.  
 
@@ -174,9 +174,9 @@ Let's say that you have the policies defined in the Ranger repo already under th
 
    :::image type="content" source="./media/ranger-policies-for-spark/ambari-config-ranger-security.png" alt-text="Screenshot shows Ambari config ranger security." lightbox="./media/ranger-policies-for-spark/ambari-config-ranger-security.png":::
 
-   You can also open this configuration in **/etc/spark3/conf** by using SSH.
+   or You can also open this configuration in **/etc/spark3/conf** by using SSH.
 
-1. Edit two configurations (**ranger.plugin.spark.service.name** and **ranger.plugin.spark.policy.cache.dir**) to point to the old policy repo **oldclustername_hive**, and then save the configurations.
+   Edit two configurations (**ranger.plugin.spark.service.name** and **ranger.plugin.spark.policy.cache.dir**) to point to the old policy repo **oldclustername_hive**, and then save the configurations.
 
    Ambari:
 
@@ -188,6 +188,14 @@ Let's say that you have the policies defined in the Ranger repo already under th
 
 1. Restart the Ranger and Spark services from Ambari.
 
+1. Open the Ranger admin UI and click on edit button under **HADOOP SQL** service.
+
+   :::image type="content" source="./media/ranger-policies-for-spark/ranger-service-edit.png" alt-text="Screenshot that shows edit option for ranger service." lightbox="./media/ranger-policies-for-spark/ranger-service-edit.png":::
+  
+1. For **oldclustername_hive** service, add **rangersparklookup** user in the **policy.download.auth.users** and **tag.download.auth.users** list and click save.
+  
+   :::image type="content" source="./media/ranger-policies-for-spark/add-new-user-ranger-lookup.png" alt-text="Screenshot that shows how to add user in Ranger service." lightbox="./media/ranger-policies-for-spark/add-new-user-ranger-lookup.png":::
+
 The policies are applied on databases in the Spark catalog. If you want to access the databases in the Hive catalog:
 
 1. In Ambari, go to **Spark3** > **Configs**.
@@ -198,5 +206,4 @@ The policies are applied on databases in the Spark catalog. If you want to acces
 ## Known issues
 
 - Apache Ranger integration with Spark SQL doesn't work if the Ranger admin is down.
-- The Ranger database can be overloaded if more than 20 Spark sessions are started concurrently because of continuous policy pulls.
-- In Ranger audit logs, when you hover over the **Resource** column, it doesn't show the entire query that you ran.
+- In Ranger audit logs, when you hover over the **Resource** column, it can't show the entire query that you ran.