turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Do you mean 
Reply
dwill
Contributor
dwill
Posts: 44
Registered: ‎07-28-2016

Restrict sqoop access/execute

‎03-17-2017 04:19 PM

Hello -

We need to restrict access to running sqoop at the command line in hdfs.  

 

My thought on this was that I would probably have to manage this at the Linux OS layer. 

1. Create a group (sqoop-users) in linux

2.  Add users to that group

3.  use ACLs (via setfacl) to add the new group (sqoop-users) to /usr/bin/sqoop with r-x permissions.

4.  then change permissions via chmod to remove "other" access completely (so chmod 750).

 

Just wondering if anyone has thoughts or suggestions...and if that is the way to go.

 

thanks...

Report Inappropriate Content
Message 1 of 10 (1,265 Views)
Labels:
Reply
0 Kudos
Highlighted
Harsh J
Posts: 1,754
Kudos: 371
Solutions: 279
Registered: ‎07-31-2013

Re: Restrict sqoop access/execute

‎03-18-2017 04:29 AM

What you've proposed will work with a certain class of users. They'll find that the command is unavailable, and they'll accept that, and not try to run Sqoop from source or the jars directly (circumventing the /usr/bin/sqoop wrapper script).

If you're targeting such an enforcement for an advanced set of users (i.e. a more fool-proof way), the proper way would be to revoke/control DB credentials access - Sqoop's of no use without DB access credentials provided at the user's level.
Report Inappropriate Content
Message 2 of 10 (1,246 Views)
Reply
0 Kudos
dwill
Contributor
dwill
Posts: 44
Registered: ‎07-28-2016

Re: Restrict sqoop access/execute

‎03-20-2017 07:52 AM

Hi...

 

Thanks for the response.

 

What do you mean by revoking DB access credentials?  Do you mean removing it for the users that we want to prevent from using Sqoop?

 

thanks!

Report Inappropriate Content
Message 3 of 10 (1,220 Views)
Reply
0 Kudos
dwill
Contributor
dwill
Posts: 44
Registered: ‎07-28-2016

Re: Restrict sqoop access/execute

‎03-22-2017 09:29 AM

Also, we will need to restrict the ability for users to run sqoop via Hue (Oozie workflows).  Is there a way to do that?

Report Inappropriate Content
Message 4 of 10 (1,197 Views)
Reply
0 Kudos
Champion
Champion
csguna
Posts: 746
Registered: ‎05-16-2016

Re: Restrict sqoop access/execute

‎03-22-2017 08:00 PM

You might want to take look in to this blog. 

It will be helpful for user management  in HUE

 

http://blog.cloudera.com/blog/2012/12/managing-permissions-in-hue/

Report Inappropriate Content
Message 5 of 10 (1,188 Views)
Reply
0 Kudos
Harsh J
Posts: 1,754
Kudos: 371
Solutions: 279
Registered: ‎07-31-2013

Re: Restrict sqoop access/execute

‎03-22-2017 09:01 PM

> What do you mean by revoking DB access credentials? Do you mean removing it for the users that we want to prevent from using Sqoop?

Yes, that's what I'd meant. If the users have access to the DB, they can run Sqoop, or even if you prevent Sqoop specifically on some level, nothing stops them from rolling their own YARN/MR2 program that replicates what Sqoop does (distributed JDBC connections). The only prevention I can think of is to either disallow the users entirely from the remote RDBMS, or allow their connections to be authenticated only from certain whitelisted hosts (MySQL allows this, for ex.).
Report Inappropriate Content
Message 6 of 10 (1,183 Views)
Reply
0 Kudos
Harsh J
Posts: 1,754
Kudos: 371
Solutions: 279
Registered: ‎07-31-2013

Re: Restrict sqoop access/execute

‎03-22-2017 09:05 PM

> Also, we will need to restrict the ability for users to run sqoop via Hue (Oozie workflows). Is there a way to do that?

I posted a reply to a similar question at http://community.cloudera.com/t5/Batch-Processing-and-Workflow/Limit-Available-Action-Nodes-in-Oozie..., perhaps it may be of some use.
Report Inappropriate Content
Message 7 of 10 (1,181 Views)
Reply
0 Kudos
dwill
Contributor
dwill
Posts: 44
Registered: ‎07-28-2016

Re: Restrict sqoop access/execute

‎03-23-2017 08:10 AM

@csguna   - thanks for the link.  I had read that already and it doesn't provide for a way to restrict Sqoop.  It does allow for restricting other things...HBase, Impala, etc.   I checked w/Cloudera support and they stated that there isn't a mechanism now.  However, I could create a group and put users in that group to restrict (via read only access to Oozie).  Unfortunately, this might not work for us either.

 

thanks....

 

Report Inappropriate Content
Message 8 of 10 (1,172 Views)
Reply
0 Kudos
dwill
Contributor
dwill
Posts: 44
Registered: ‎07-28-2016

Re: Restrict sqoop access/execute

‎03-23-2017 08:12 AM

@Harsh J  - thanks again for the responses and suggestions.

 

In our case, we cannot revoke access at the DB for these users. They access the DB with other tools outside of our cluster (part of their jobs), so we cannot remove it.  

Report Inappropriate Content
Message 9 of 10 (1,171 Views)
Reply
0 Kudos
dwill
Contributor
dwill
Posts: 44
Registered: ‎07-28-2016

Re: Restrict sqoop access/execute

‎03-23-2017 08:14 AM

@Harsh J  - I just checked the other post you listed...and that looks close.  Seems that you are stating that there is a way to completely remove Sqoop from the avaiable Oozie workflow options.  That would be great if i could do it on a per user or per group basis.

Report Inappropriate Content
Message 10 of 10 (1,170 Views)
Reply
0 Kudos
Announcements

Share Your Thoughts

New solutions
Find More Solutions