Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hdfs Policy not working in Ranger?

Hdfs Policy not working in Ranger?

Rising Star

Hi ,

Before I explain policy details let me show you how I have created directory on hdfs.

d--------- - root hdfs 0 2016-09-02 06:47 /test-ranger ----->(no read/write/execute permission for any other 'ugo').

There is 'hr_user' to which I wants to provide only read access.

but when i login as hr_user on machine and try to access that directory it's giving me error

Error: Permission denied: user=hr_user, access=READ_EXECUTE, inode="/test-ranger":root:hdfs:d---------

even though i have given read access to this user.

please help me.policy-details.png

And one more thing,I am not getting access logs within ranger under Audit section.

please find attached policy details image.

12 REPLIES 12

Re: Hdfs Policy not working in Ranger?

@Manoj Dhake Try adding Execute permission for the directory as well.

Re: Hdfs Policy not working in Ranger?

problem is you have not give execute permission , for read also we need to have read and excute permission both can you please try as follows:

screen-shot-2016-09-02-at-63736-pm.png

Highlighted

Re: Hdfs Policy not working in Ranger?

Rising Star

I already tried this approach but unfortunately not worked.

Thank you.

Re: Hdfs Policy not working in Ranger?

can you please check policy refresh is happening properly, in addition to that please access audit logs which policy is denying the request , and whether it is denied due to ranger-acl or hadoop-acl

Re: Hdfs Policy not working in Ranger?

Rising Star

Good to see you again,

Even those logs are not able see in access tab of ranger.

Re: Hdfs Policy not working in Ranger?

see , once you update the policy then you can check plugin audit logs whether you see 200 response there , or you can check name node whether policy refresh is happening , and please attach the updated policy screenshot too ,

and in access audit logs you can apply filter for hdfs operation then it will be easy to check the exact operation

Re: Hdfs Policy not working in Ranger?

@Manoj Dhake

As others have pointed out, you need READ + EXECUTE permission for directories. That is how directory permissions work. You can see in the error message that "READ_EXECUTE" is the permission that is attempted.

In regards to the access logs for Ranger, do you have Ranger audit logging to Solr enabled? If you do, is Solr running ok? The Ranger interface for showing access logs uses Solr. If you only have your logs written to HDFS, you won't see the access logs via the Ranger interface.

Re: Hdfs Policy not working in Ranger?

New Contributor

HI @Michael Young: just wanted to clarify, why do we need execute permission? I know this is how read permission should apply for directories but do you know the explanation behind this?

Re: Hdfs Policy not working in Ranger?

@Manoj Dhake

1. Can you make sure Test Connection for HDFS Ranger repository works fine ?

2. Check /var/log/ranger/admin/xa_portal.log for errors

3. Login to the node from where your trying to login as hr_user and check if the policy is sync on that node in below path -

#ls /etc/ranger/<clustername>_hadoop/policycache <-- make sure policy.json file exist here and also check if the policy you had given for user is reflected over here.

4. Finally check namenode logs also for error.