Reply
Explorer
Posts: 14
Registered: ‎04-28-2016
Accepted Solution

Hue and Oozie security - users can access resources they shouldn't?

Hello,

 

I ask here for an advice on hue configuration.

We are developing a KDC security-enabled cluster with multiple users belonging to various groups.

Currently we rely heavily on Hue and Oozie workflows that are designed from Hue.

Users create their workflows under their user in Hue. Workflows of a particular user are not accessible to others from the list of workflows, unless explicitly shared, which is fine. 

 

However there are problems we'd like to solve:

 

1. Other users still can access workspaces of those workflows via HDFS, either with Hue's "File browser" or directly via hdfs command. Particulary from Hue, seems that anyone can access workspace directory and even open its files, even if I explicitly change the dir and files permission to 600. (See screenshot attached)

hue-permissions.png

 

2. The properties of the launched workflows can be seen by other users in the "Configuration" tab, regardless of their permissions on the workflow. Can those values be hidden somehow?

hue-configuration-permissions.png

 

Thanks in advance!

 

Master
Posts: 314
Registered: ‎07-01-2015

Re: Hue and Oozie security - users can access resources they shouldn't?

Regarding the 1st point, are you using Sentry? I am quite sure, that in correct configuration the HDFS is not browsable from Hue if the owner/group does not match.
Or.. maybe you have ACLs enabled on HDFS, and on this directory from the print screen there are more permissions. If you have acls enabled, then check it by hdfs dfs -getfacl <path>
Explorer
Posts: 14
Registered: ‎04-28-2016

Re: Hue and Oozie security - users can access resources they shouldn't?

Hi Thomas,

 

Thank you for your response. We are not using Sentry.

The output of getfacl is:

 

hdfs dfs -getfacl /user/hue/oozie/workspaces/hue-oozie-1538051691.26
# file: /user/hue/oozie/workspaces/hue-oozie-1538051691.26
# owner: SVC_CTOS_SENTILO
# group: hue
getfacl: The ACL operation has been rejected. Support for ACLs has been disabled by setting dfs.namenode.acls.enabled to false.

 

Incidently, I am even able to edit the file that is at 0600, being owned by another user.

I also created a 0600 folder and inside a 0600 file. Same behaviour.

Both users are in hadoop and hue group, but that shouldn't be a problem, since as far as I understand it, 0600 means only the owner of the file should be able to read an write, and nobody else.

The owner of the file is SVC_CTOS_SENTILO, from Hue as well from hdfs dfs CLI command.

 

Thank you,

Best Regards

Explorer
Posts: 14
Registered: ‎04-28-2016

Re: Hue and Oozie security - users can access resources they shouldn't?

All solved, it was a misconfiguration of HDFS.

The property dfs.permissions was set to false (!).

 

Thanks!

Announcements