question Re: Can Ranger support SEC 17a-4 in Archives of Support Questions (Read Only)

Can Ranger support SEC 17a-4

avijeetd — Mon, 02 Jan 2017 13:46:33 GMT

Hi,

I was checking the security requirements for SEC 17a-4 and it seems one requirement is Root account should not be able to access a directory

In Ranger - even if a directory is protected for a user/group - hdfs can always access it. However for HBASE I see that hdfs cannot access a table without permissions.

Does it show that SEC 17a-4 cannot be achieved with Ranger-HDFS however can work with Ranger-HBASE?

Thanks,

Avijeet

Re: Can Ranger support SEC 17a-4

dvillarreal — Wed, 04 Jan 2017 07:29:12 GMT

@Avijeet Dash

I don't necessarily agree with your statement. Maybe I am missing something here. "even if a directory is protected for a user/group - hdfs can always access it."

If you have kerberos enabled and you set the permissions of the directories correctly even hdfs user wouldn't have access unless specified in ranger. http://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/

Re: Can Ranger support SEC 17a-4

avijeetd — Wed, 04 Jan 2017 13:27:50 GMT

Hi @dvillarreal

I have kerberos enabled, I have a directory

d--------- - hr1 hr 0 2016-09-21 09:49 /hr-zone

in Ranger I have given access to /hr-zone to only hr1 user

When I try to see the file as hdfs user I can see it

[root@securityLab01 keytabs]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: hdfs-securityLab@MYDOMAIN.LOCAL

Valid starting Expires Service principal 01/04/2017 05:22:05 01/04/2017 15:22:05 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL renew until 01/11/2017 05:22:05

[root@securityLab01 keytabs]# hadoop fs -ls /hr-zone

Found 2 items

-rw-r--r-- 3 hr1 hr 46878 2016-09-19 07:33 /hr-zone/sample_07.csv

-rw-r--r-- 3 hr1 hr 46892 2016-09-19 07:33 /hr-zone/sample_08.csv

Re: Can Ranger support SEC 17a-4

dvillarreal — Thu, 05 Jan 2017 02:07:40 GMT

I see. So you want to remove privileges from Hadoop Super User? I think there are ways around this but not recommended. Let me do a bit more research on this.

Re: Can Ranger support SEC 17a-4

dvillarreal — Thu, 05 Jan 2017 05:57:28 GMT

I was unable to find a way around this. The NameNode just gives admin rights to the system user name which started its process, by default hdfs user. You can also give others superuser permissions with dfs.permissions.superusergroup and dfs.cluster.administrators. It seems ranger doesn't disallow superusers unless in the case of KMS encrypted zones. In terms of KMS I can see there is a blacklist mechanism to disallow superuser. I don't think there is a similar feature for Ranger itself.