Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Can Ranger support SEC 17a-4

Labels:
avatar
author-rank avijeetd
Super Collaborator

Created ‎01-02-2017 05:46 AM

Hi,

I was checking the security requirements for SEC 17a-4 and it seems one requirement is Root account should not be able to access a directory

In Ranger - even if a directory is protected for a user/group - hdfs can always access it. However for HBASE I see that hdfs cannot access a table without permissions.

Does it show that SEC 17a-4 cannot be achieved with Ranger-HDFS however can work with Ranger-HBASE?

Thanks,

Avijeet

1,101 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank dvillarreal
Guru

Created ‎01-03-2017 11:29 PM

@Avijeet Dash

I don't necessarily agree with your statement. Maybe I am missing something here. "even if a directory is protected for a user/group - hdfs can always access it."

If you have kerberos enabled and you set the permissions of the directories correctly even hdfs user wouldn't have access unless specified in ranger. http://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/

View solution in original post

1,006 Views
0 Kudos
4 REPLIES 4

avatar
author-rank dvillarreal
Guru

Created ‎01-03-2017 11:29 PM

@Avijeet Dash

I don't necessarily agree with your statement. Maybe I am missing something here. "even if a directory is protected for a user/group - hdfs can always access it."

If you have kerberos enabled and you set the permissions of the directories correctly even hdfs user wouldn't have access unless specified in ranger. http://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/

1,007 Views
0 Kudos

avatar
author-rank avijeetd
Super Collaborator

Created ‎01-04-2017 05:27 AM

Hi @dvillarreal

I have kerberos enabled, I have a directory

d--------- - hr1 hr 0 2016-09-21 09:49 /hr-zone

in Ranger I have given access to /hr-zone to only hr1 user

When I try to see the file as hdfs user I can see it

[root@securityLab01 keytabs]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: hdfs-securityLab@MYDOMAIN.LOCAL

Valid starting Expires Service principal 01/04/2017 05:22:05 01/04/2017 15:22:05 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL renew until 01/11/2017 05:22:05

[root@securityLab01 keytabs]# hadoop fs -ls /hr-zone

Found 2 items

-rw-r--r-- 3 hr1 hr 46878 2016-09-19 07:33 /hr-zone/sample_07.csv

-rw-r--r-- 3 hr1 hr 46892 2016-09-19 07:33 /hr-zone/sample_08.csv

1,006 Views
0 Kudos

avatar
author-rank dvillarreal
Guru

Created ‎01-04-2017 06:07 PM

I see. So you want to remove privileges from Hadoop Super User? I think there are ways around this but not recommended. Let me do a bit more research on this.

1,006 Views
0 Kudos

avatar
author-rank dvillarreal
Guru

Created ‎01-04-2017 09:57 PM

I was unable to find a way around this. The NameNode just gives admin rights to the system user name which started its process, by default hdfs user. You can also give others superuser permissions with dfs.permissions.superusergroup and dfs.cluster.administrators. It seems ranger doesn't disallow superusers unless in the case of KMS encrypted zones. In terms of KMS I can see there is a blacklist mechanism to disallow superuser. I don't think there is a similar feature for Ranger itself.

1,006 Views
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements