Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Can Ranger support SEC 17a-4

Labels:
avatar
author-rank avijeetd
Super Collaborator

Created ‎01-02-2017 05:46 AM

Hi,

I was checking the security requirements for SEC 17a-4 and it seems one requirement is Root account should not be able to access a directory

In Ranger - even if a directory is protected for a user/group - hdfs can always access it. However for HBASE I see that hdfs cannot access a table without permissions.

Does it show that SEC 17a-4 cannot be achieved with Ranger-HDFS however can work with Ranger-HBASE?

Thanks,

Avijeet

1,510 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank dvillarreal
Guru

Created ‎01-03-2017 11:29 PM

@Avijeet Dash

I don't necessarily agree with your statement. Maybe I am missing something here. "even if a directory is protected for a user/group - hdfs can always access it."

If you have kerberos enabled and you set the permissions of the directories correctly even hdfs user wouldn't have access unless specified in ranger. http://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/

View solution in original post

1,415 Views
0 Kudos
4 REPLIES 4

avatar
author-rank dvillarreal
Guru

Created ‎01-03-2017 11:29 PM

@Avijeet Dash

I don't necessarily agree with your statement. Maybe I am missing something here. "even if a directory is protected for a user/group - hdfs can always access it."

If you have kerberos enabled and you set the permissions of the directories correctly even hdfs user wouldn't have access unless specified in ranger. http://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/

1,416 Views
0 Kudos

avatar
author-rank avijeetd
Super Collaborator

Created ‎01-04-2017 05:27 AM

Hi @dvillarreal

I have kerberos enabled, I have a directory

d--------- - hr1 hr 0 2016-09-21 09:49 /hr-zone

in Ranger I have given access to /hr-zone to only hr1 user

When I try to see the file as hdfs user I can see it

[root@securityLab01 keytabs]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: hdfs-securityLab@MYDOMAIN.LOCAL

Valid starting Expires Service principal 01/04/2017 05:22:05 01/04/2017 15:22:05 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL renew until 01/11/2017 05:22:05

[root@securityLab01 keytabs]# hadoop fs -ls /hr-zone

Found 2 items

-rw-r--r-- 3 hr1 hr 46878 2016-09-19 07:33 /hr-zone/sample_07.csv

-rw-r--r-- 3 hr1 hr 46892 2016-09-19 07:33 /hr-zone/sample_08.csv

1,415 Views
0 Kudos

avatar
author-rank dvillarreal
Guru

Created ‎01-04-2017 06:07 PM

I see. So you want to remove privileges from Hadoop Super User? I think there are ways around this but not recommended. Let me do a bit more research on this.

1,415 Views
0 Kudos

avatar
author-rank dvillarreal
Guru

Created ‎01-04-2017 09:57 PM

I was unable to find a way around this. The NameNode just gives admin rights to the system user name which started its process, by default hdfs user. You can also give others superuser permissions with dfs.permissions.superusergroup and dfs.cluster.administrators. It seems ranger doesn't disallow superusers unless in the case of KMS encrypted zones. In terms of KMS I can see there is a blacklist mechanism to disallow superuser. I don't think there is a similar feature for Ranger itself.

1,415 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements