https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-view-entire-hdfs-dir-and-navigate-further-via/m-p/94739#M7987 <P>User can view entire hdfs dir and navigate more via WebHDFS. hadoop-policy (Access Control Lists) does not seem to be applicable to WebHDFS. how to incorporate ACLs when accessed via WebHDFS?</P> Fri, 02 Oct 2015 03:58:59 GMT smayani 2015-10-02T03:58:59Z https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-view-entire-hdfs-dir-and-navigate-further-via/m-p/94739#M7987 <P>User can view entire hdfs dir and navigate more via WebHDFS. hadoop-policy (Access Control Lists) does not seem to be applicable to WebHDFS. how to incorporate ACLs when accessed via WebHDFS?</P> Fri, 02 Oct 2015 03:58:59 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-view-entire-hdfs-dir-and-navigate-further-via/m-p/94739#M7987 smayani 2015-10-02T03:58:59Z https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-view-entire-hdfs-dir-and-navigate-further-via/m-p/94740#M7988 <P>Are you referring to the hadoop-policy section in core-site and hdfs-site? These do not control security the way you'd expect. For proper ACLs on HDFS do either of these:</P><OL><LI>Secure (Kerberize) your cluster. Ambari automates this. Add Ranger and enable HDFS policies.</LI><LI>If accessing via REST API (WebHDFS) - restrict direct datanode access via a firewall and only allow access via Knox. Knox, in turn, will be able to map an incoming user into an actual role (still, full control with audit will require adding Ranger).</LI></OL><P>Andrew</P> Fri, 02 Oct 2015 06:31:56 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-view-entire-hdfs-dir-and-navigate-further-via/m-p/94740#M7988 andrewg 2015-10-02T06:31:56Z https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-view-entire-hdfs-dir-and-navigate-further-via/m-p/94741#M7989 <P>The ACLs specified in the hadoop-policy.xml file refer to Hadoop service-level authorization.</P><P><A href="http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html">http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html</A></P><P>These ACLs are enforced on Hadoop RPC service calls. These ACLs are not applicable to access through WebHDFS. In order to fully control authorization to HDFS files, use HDFS permissions and ACLs.</P><P><A href="http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html">http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html</A></P><P>Permissions and ACLs applied to directories and files are enforced for all means of access to the file system.</P><P>Other potential solutions are to use Knox or Ranger.</P> Fri, 30 Oct 2015 04:03:12 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-view-entire-hdfs-dir-and-navigate-further-via/m-p/94741#M7989 cnauroth 2015-10-30T04:03:12Z https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-view-entire-hdfs-dir-and-navigate-further-via/m-p/94742#M7990 <P><A rel="user" href="https://community.cloudera.com/users/220/smayani.html" nodeid="220">@Saumil Mayani</A> has this been resolved? Can you accept the best answer or provide your own solution?</P> Wed, 03 Feb 2016 01:24:24 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-view-entire-hdfs-dir-and-navigate-further-via/m-p/94742#M7990 aervits 2016-02-03T01:24:24Z