Reply
Highlighted
New Contributor
Posts: 1
Registered: ‎04-06-2018

Question about restricting File Browser access to only the home directory

I'm trying to look at deployment scenarios for Hue in a multi-tenant environment with restrictions on data visibility in the cluster.  I'm planning on using kerberos and Sentry to restrict access to data within Hive and Impala.  In addition want to allow users to upload data into their home folder /user/{username} freely and use this data for different analytical operations through the currently available Hue apps.

 

File Browser seems to meet this need but my main problem that I am seeing is that I can navigate up from the /user/{username} directory to the root folder in HDFS.  From here I can navigate to a folder like /tmp (which needs 777 permissions) and from there tenants may be able view data that may be in flight from another tenant.  This would be an unnacceptable scenario for my deployment. 

 

This basically leads to my actual question, is there a way that I can restrict the File Browser app in hue from navigating out of the home directory for certain groups of users?  I'd like to be able to allow other users to continue to navigate freely throughout the entirety of HDFS (i.e. administrators).

Posts: 954
Topics: 1
Kudos: 226
Solutions: 121
Registered: ‎04-22-2014

Re: Question about restricting File Browser access to only the home directory

@Bfos,

 

Hue should act as the user with which you logged into Hue.  This means that the user is subject to the HDFS permissions you have configured.  So, in order to restrict access, you can configure the directory permissions appropriately (no read for "other", for instance).

 

Hue has no special access control for HDFS.

 

Just a thought, but I imagine you could configure HTTPFS servers behind a load balancer and then filter URLs somehow to reject access to URLs that contain a path that does not contain the user's name... Might be a bit of work, though, and I'm not sure what sort of proxies and load balancers can do that sort of thing "easily"

Posts: 519
Topics: 14
Kudos: 90
Solutions: 45
Registered: ‎09-02-2016

Re: Question about restricting File Browser access to only the home directory

@Bfos

 

I think that i get into a similar situation long back... a top level manager from a different team needs an Hue access for a POC, he don't know linux, all he needs is a hue access to explore something

 

not sure i can recollect everything that I did in that situation but here are few points which may help you

1. when you create a new user in hue, it will give an option to choose the role/group, so select the role with very limited access initially (if he/she needs additional access, you can edit and add additional role upon request)

2. the problem that you have mentioned is "I can navigate up from the /user/{username} directory to the root folder in HDFS.  From here I can navigate to a folder like /tmp (which needs 777 permissions) and from there tenants may be able view data that may be in flight from another tenant."

 

The answer to your problem is,

a. yes /tmp folder will have 777 permission but any user under /tmp should not be 777, it should be drwx--x---, so one user cannot see data from other user even under /tmp.. if you see any folder belongs to different user with 777, i don't think it is correct one

b. don't try to navigate up from your user id (it may have admin access), as i've mentioned in point one, create a dummy user with limited access and try to navigate from that dummy user ... finally delete that dummy user

 

hope this may help you!!

 

 

Announcements