Support Questions

Find answers, ask questions, and share your expertise

Can we restrict root directory[level 1 directory ] access for users ?

avatar
Super Guru

I have HDFS filesystem as below -

------

# sudo -u hdfs hadoop fs -ls /

dr-------- - hdfs hdfs 0 2016-03-09 15:14 /test1

drwxr-xr-x - bat hdfs 0 2016-03-09 15:10 /bat

drwxr-xr-x - hdfs hdfs 0 2016-03-06 11:25 /hdp

drwxr-xr-x - mapred hdfs 0 2016-03-06 11:25 /mapred

drwxrwxrwx - mapred hadoop 0 2016-03-06 11:26 /mr-history

drwxrwxrwx - hdfs hdfs 0 2016-03-08 15:30 /tmp

drwxr-xr-x - hdfs hdfs 0 2016-03-09 04:55 /user

[root@node1 ~]#

--------

I have user created name 'bat' and bat user can issue same command as shown below -

--------

[bat@node1 ~]$ id

uid=1009(bat) gid=1007(hdfs2) groups=1007(hdfs2)

[bat@node1 ~]$ hadoop fs -ls /

dr-------- - hdfs hdfs 0 2016-03-09 15:14 /test1

drwxr-xr-x - bat hdfs 0 2016-03-09 15:10 /bat

drwxr-xr-x - hdfs hdfs 0 2016-03-06 11:25 /hdp

drwxr-xr-x - mapred hdfs 0 2016-03-06 11:25 /mapred

drwxrwxrwx - mapred hadoop 0 2016-03-06 11:26 /mr-history

drwxrwxrwx - hdfs hdfs 0 2016-03-08 15:30 /tmp

drwxr-xr-x - hdfs hdfs 0 2016-03-09 04:55 /user

[bat@node1 ~]$

--------

Is it possible that - bat user will only able to see the directory on which he has permission / owner of those directories -

So the expected output will be -

[bat@node1 ~]$ id

uid=1009(bat) gid=1007(hdfs2) groups=1007(hdfs2)

[bat@node1 ~]$ hadoop fs -ls /

dr-------- - hdfs hdfs 0 2016-03-09 15:14 /test1

drwxr-xr-x - bat hdfs 0 2016-03-09 15:10 /bat

[bat@node1 ~]$

----

Can we block access to level 1 directories in HDFS/Ranger/etc... in hadoop ?

If not why is so ?

1 ACCEPTED SOLUTION

avatar
Master Guru

Sagar Shimpi - I think this is working as expected because you have execute permission for other users on "/" directory on hdfs so they can see contents inside "/"

e.g.

[root@sandbox ~]# hadoop fs -ls -d /
drwxr-xr-x   - hdfs hdfs          0 2015-10-27 13:12 /
[root@sandbox ~]#

View solution in original post

4 REPLIES 4

avatar
Master Guru

Sagar Shimpi - I think this is working as expected because you have execute permission for other users on "/" directory on hdfs so they can see contents inside "/"

e.g.

[root@sandbox ~]# hadoop fs -ls -d /
drwxr-xr-x   - hdfs hdfs          0 2015-10-27 13:12 /
[root@sandbox ~]#

avatar
Explorer

For the actual question on how to then fix the permissions so that users from different group don't get to see/read it, below might be helpful.

hdfs dfs -chmod -R 770 <path/to/restrict>

avatar
Rising Star

Don't forget to change the umask. Either 077 or 027

avatar
Master Guru