Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

New Contributor

Hi,

I'm looking for a possible way to restrict user to use some Hadoop commands. In other words, how to disable a Hadoop command for particular users? Below is the scenario :-

[foo@bdlhdptst01 ~]$ whoami 
foo 
[foo@bdlhdptst01 ~]$ hadoop fs -ls /user/foo 
Found 1 item 
-rwxrwxrwx 3 foo hadoop          0 2018-05-21 05:56 /user/foo/test.txt 

For example, I don't want a user "foo" to run the below "chmod" command which he owns (shown above)

[foo@bdlhdptst01 ~]$ hadoop fs -chmod 700 /user/foo/test.txt 

If we can disable a command in OS level (Linux) for a user, I believe we can disable the same in Hadoop as well. Any suggestions would be highly appreciated!

Note: Without using ACLs, Ranger or Kerberos

Regards,

Shesh Kumar

9 REPLIES 9

Re: How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

@Shesh Kumar,

You can use Ranger Authorizer to achieve this. You need to create policy with deny conditions in order to make this work.

https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+excludes+in+Ranger+policies

.

Please "Accept" the answer if this helps.

.

-Aditya

Re: How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

New Contributor

Hi Adithya,

Thanks for the comment. But we are not using Kerberos or Ranger here.

Our cluster is solely meant for POC purpose (3rd party hadoop applications).

I'm looking for a solution without ACLs, Ranger or Kerberos. Will update my question to be more specific.

Thanks,

Shesh Kumar

Highlighted

Re: How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

Guru

What are you trying to achieve with this? If it is a non-kerberos cluster, if you have network access to the cluster, it will still leave holes for a user to go in as any other user. Just blocking hadoop fs access is not possible (unless you block full hadoop command) and it is not going to help

You need to go with Kerberos for security and authentication AND then ranger or ACLs for authorization.

Re: How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

New Contributor

Hi Ravi,

Thanks for the comment. But we are not using Kerberos or Ranger here.

Our cluster is solely meant for POC purpose (3rd party hadoop applications).

I'm looking for a solution without ACLs, Ranger or Kerberos. Will update my question to be more specific.

Thanks,

Shesh Kumar

Re: How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

New Contributor

I use freeIPA for the hadoop user auth. It is very easy to do such things in freeIPA.

You can refer example-13 of this document https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/defining-sudorules.html

Example 13.2. Allowing and Denying Commands

The sudo rule can grant access or deny access to commands. For example, this rule would allow read access to files but prevent editing:

$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/less" readfiles
$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/tail" readfiles
$ ipa sudorule-add-deny-command --sudocmd "/usr/bin/vim" readfiles

Re: How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

New Contributor

Hi Mahapatra,

Any better suggestions? As we do not use freeIPA?

If we can disable a command in OS level (Linux) I believe we can disable the same in Hadoop.

Thanks,

Shesh Kumar

Re: How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

@Shesh Kumar

Just add below lines in starting of hadoop file.(/usr/hdp/<version>/hadoop/bin/hadoop and /usr/bin/hadoop)

echo "Sorry! hadoop command is disabled."
exit 1 

But as mentioned by others in earlier comments there is no security here. Users which has access to this files can edit and use the hadoop commands.

Re: How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

New Contributor

@Sandeep Nemuri

Does it disable Hadoop's "chmod" command?

User should be able to run command like this -- hadoop fs -ls /

but not this -- hadoop fs -chmod 777 /hdfs/path

Thanks,

Shesh

Re: How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

This disables 'hadoop' command completely. Well i missed this in description. Restricting only chmod is not possible without implementing authentication/authorization AFAIK.