Community Articles
Find and share helpful community-sourced technical articles
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here. Want to know more about what has changed? Check out the Community News blog.

How do SQLAuth and HDFS permissions work.

Labels (2)
ssingla
New Contributor

Created on ‎01-03-2017 09:27 PM - edited ‎08-17-2019 06:10 AM

USE CASE

ACCESS MODEL [Let's say in this case TERADATA]

  • User U1 can only read all tables in Database D1 & D2
  • User U2 can Read Database D1 and INSERT , UPDATE , DELETE , SELECT all tables in Database D2. User U2 Cannot DROP or Create Table in Database D2.
  • User U3 can SELECT,INSERT,UPDATE,DELETE,DROP,CREATE (ALL ACCESS) on Database D1 and D2

OBJECTIVE :- Want to have same model on Hadoop with one improvement.

We will have Storage Groups and ACLs – grouping the tables of same subject area. One Database may have more than one storage Group. Say SG11 , SG12 and SG21 and SG22 (SG11 and SG12 are associated with database D1 and SG21 & SG22 with D2)

  • User U1 should read all Tables in D1 and D2 .
  • User U2 should only INSERT,UPDATE,DELETE and SELECT Tables covered by SG11 ( in Database D1) - U2 will not be able to Update tables in SG12 ( in Database D1) but can read
  • User U3 can do all operations on SG11,SG12 ( D1) and SG21,SG22 (D2) and is OWNER of all the objects in D1 and D2 .

OUR TARGET

  • U3 is admin user and is Owner of the object.
  • U2 is batch Id and can write (insert , update , delete , select) to its storage group objects . U2 an read all objects in all selected Storage Groups.
  • U1 is regular user and can read selected storage Groups. (there is more to it but do not want to complicate)

CURRENT PLAN

  • U1 gets “r” via SG1* and SG2*
  • U2 gets “rwx” via SG11 and “r” via SG12 (U2 can drop a table due to SG11) .
  • We grant U2 a role HIVE that has UPDATE, DELETE,INSERT,SELECT but no DROP – It has ACL that allows these operations at File level without being OWNER.
  • U2 tries to Drop a table in SG11 but Hive Role/ authentication does not allow this. U2 can still update rows in table of SG11.

SOLUTION

  • Create users u1,u2,u3
  • Create users under /user/* on hdfs
  • create 4 storage dirs under hdfs
    • /data/[sg11,sg12,sg21,sg22]
  • Grant ACLs to storage directories above:
    • [hdfs@node1 root]$ hdfs dfs -setfacl -m user:u3:rwx /data/sg12[hdfs@node1 root]$ hdfs dfs -setfacl -m user:u3:rwx /data/sg21
    • [hdfs@node1 root]$ hdfs dfs -setfacl -m user:u3:rwx /data/sg22
  • Create 2 databases d1 and d2.
  • hive> desc database d1; OK d1 hdfs://node1.example.com:8020/data/sg11 u3 USER Time taken: 0.275 seconds, Fetched: 1 row(s)
  • hive> desc database d2; OK d2 hdfs://node1.example.com:8020/data/sg21 u3 USER Time taken: 0.156 seconds, Fetched: 1 row(s)
  • [hdfs@node1 root]$ hdfs dfs -setfacl -m user:u2:rwx /data/sg11
  • [hdfs@node1 root]$ hdfs dfs -setfacl -m user:u2:r-- /data/sg12
  • [hdfs@node1 root]$ hdfs dfs -getfacl /data/sg11
  • hdfs@node1 root]$ hdfs dfs -getfacl /data/sg12

11087-file1.png

  • As user U3 see the following:

11088-file2.pngfile2.png(267.4 kB)

  • To get the above working we need to have the following settings:
    • hive.users.in.admin.role = root,hive,u3
    • Choose Authorization = SQLAUTH
    • hive.server2.enable.doAs=true
  • So this works as expected.

233 Views
Don't have an account?
Register
Coming from Hortonworks? Activate your account here
Version history
Revision #:
2 of 2
Last update:
‎08-17-2019 06:10 AM
Updated by:
New Contributor ssingla
 
View article history
Contributors
Top Kudoed Authors
View Full Leaderboard