Reply
Contributor
Posts: 39
Registered: ‎07-28-2016

Restrict sqoop access/execute

Hello -

We need to restrict access to running sqoop at the command line in hdfs.  

 

My thought on this was that I would probably have to manage this at the Linux OS layer. 

1. Create a group (sqoop-users) in linux

2.  Add users to that group

3.  use ACLs (via setfacl) to add the new group (sqoop-users) to /usr/bin/sqoop with r-x permissions.

4.  then change permissions via chmod to remove "other" access completely (so chmod 750).

 

Just wondering if anyone has thoughts or suggestions...and if that is the way to go.

 

thanks...

Posts: 1,537
Kudos: 277
Solutions: 234
Registered: ‎07-31-2013

Re: Restrict sqoop access/execute

What you've proposed will work with a certain class of users. They'll find that the command is unavailable, and they'll accept that, and not try to run Sqoop from source or the jars directly (circumventing the /usr/bin/sqoop wrapper script).

If you're targeting such an enforcement for an advanced set of users (i.e. a more fool-proof way), the proper way would be to revoke/control DB credentials access - Sqoop's of no use without DB access credentials provided at the user's level.
Backline Customer Operations Engineer
Highlighted
Contributor
Posts: 39
Registered: ‎07-28-2016

Re: Restrict sqoop access/execute

Hi...

 

Thanks for the response.

 

What do you mean by revoking DB access credentials?  Do you mean removing it for the users that we want to prevent from using Sqoop?

 

thanks!

Contributor
Posts: 39
Registered: ‎07-28-2016

Re: Restrict sqoop access/execute

Also, we will need to restrict the ability for users to run sqoop via Hue (Oozie workflows).  Is there a way to do that?

Champion
Posts: 562
Registered: ‎05-16-2016

Re: Restrict sqoop access/execute

You might want to take look in to this blog. 

It will be helpful for user management  in HUE

 

http://blog.cloudera.com/blog/2012/12/managing-permissions-in-hue/

Posts: 1,537
Kudos: 277
Solutions: 234
Registered: ‎07-31-2013

Re: Restrict sqoop access/execute

> What do you mean by revoking DB access credentials? Do you mean removing it for the users that we want to prevent from using Sqoop?

Yes, that's what I'd meant. If the users have access to the DB, they can run Sqoop, or even if you prevent Sqoop specifically on some level, nothing stops them from rolling their own YARN/MR2 program that replicates what Sqoop does (distributed JDBC connections). The only prevention I can think of is to either disallow the users entirely from the remote RDBMS, or allow their connections to be authenticated only from certain whitelisted hosts (MySQL allows this, for ex.).
Backline Customer Operations Engineer
Posts: 1,537
Kudos: 277
Solutions: 234
Registered: ‎07-31-2013

Re: Restrict sqoop access/execute

> Also, we will need to restrict the ability for users to run sqoop via Hue (Oozie workflows). Is there a way to do that?

I posted a reply to a similar question at http://community.cloudera.com/t5/Batch-Processing-and-Workflow/Limit-Available-Action-Nodes-in-Oozie..., perhaps it may be of some use.
Backline Customer Operations Engineer
Contributor
Posts: 39
Registered: ‎07-28-2016

Re: Restrict sqoop access/execute

@csguna   - thanks for the link.  I had read that already and it doesn't provide for a way to restrict Sqoop.  It does allow for restricting other things...HBase, Impala, etc.   I checked w/Cloudera support and they stated that there isn't a mechanism now.  However, I could create a group and put users in that group to restrict (via read only access to Oozie).  Unfortunately, this might not work for us either.

 

thanks....

 

Contributor
Posts: 39
Registered: ‎07-28-2016

Re: Restrict sqoop access/execute

@Harsh J  - thanks again for the responses and suggestions.

 

In our case, we cannot revoke access at the DB for these users. They access the DB with other tools outside of our cluster (part of their jobs), so we cannot remove it.  

Contributor
Posts: 39
Registered: ‎07-28-2016

Re: Restrict sqoop access/execute

@Harsh J  - I just checked the other post you listed...and that looks close.  Seems that you are stating that there is a way to completely remove Sqoop from the avaiable Oozie workflow options.  That would be great if i could do it on a per user or per group basis.

Announcements