Support Questions

sheshk11 · ‎08-04-2018

Hi,

I'm looking for a possible way to restrict user to use some Hadoop commands. In other words, how to disable a Hadoop command for particular users? Below is the scenario :-

[foo@bdlhdptst01 ~]$ whoami 
foo 
[foo@bdlhdptst01 ~]$ hadoop fs -ls /user/foo 
Found 1 item 
-rwxrwxrwx 3 foo hadoop          0 2018-05-21 05:56 /user/foo/test.txt

For example, I don't want a user "foo" to run the below "chmod" command which he owns (shown above)

[foo@bdlhdptst01 ~]$ hadoop fs -chmod 700 /user/foo/test.txt

If we can disable a command in OS level (Linux) for a user, I believe we can disable the same in Hadoop as well. Any suggestions would be highly appreciated!

Note: Without using ACLs, Ranger or Kerberos

Regards,

Shesh Kumar

asirna · ‎08-05-2018

@Shesh Kumar,

You can use Ranger Authorizer to achieve this. You need to create policy with deny conditions in order to make this work.

https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+excludes+in+Ranger+policies

.

Please "Accept" the answer if this helps.

.

-Aditya

sheshk11 · ‎08-07-2018

Hi Adithya,

Thanks for the comment. But we are not using Kerberos or Ranger here.

Our cluster is solely meant for POC purpose (3rd party hadoop applications).

I'm looking for a solution without ACLs, Ranger or Kerberos. Will update my question to be more specific.

Thanks,

Shesh Kumar

ravi1 · ‎08-05-2018

What are you trying to achieve with this? If it is a non-kerberos cluster, if you have network access to the cluster, it will still leave holes for a user to go in as any other user. Just blocking hadoop fs access is not possible (unless you block full hadoop command) and it is not going to help

You need to go with Kerberos for security and authentication AND then ranger or ACLs for authorization.

sheshk11 · ‎08-07-2018

Hi Ravi,

Thanks for the comment. But we are not using Kerberos or Ranger here.

Our cluster is solely meant for POC purpose (3rd party hadoop applications).

I'm looking for a solution without ACLs, Ranger or Kerberos. Will update my question to be more specific.

Thanks,

Shesh Kumar

76_subhasis · ‎08-07-2018

I use freeIPA for the hadoop user auth. It is very easy to do such things in freeIPA.

You can refer example-13 of this document https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/defining-sudorules.html

Example 13.2. Allowing and Denying Commands

The sudo rule can grant access or deny access to commands. For example, this rule would allow read access to files but prevent editing:

$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/less" readfiles
$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/tail" readfiles
$ ipa sudorule-add-deny-command --sudocmd "/usr/bin/vim" readfiles

sheshk11 · ‎08-07-2018

Hi Mahapatra,

Any better suggestions? As we do not use freeIPA?

If we can disable a command in OS level (Linux) I believe we can disable the same in Hadoop.

Thanks,

Shesh Kumar

sandyy006 · ‎08-07-2018

@Shesh Kumar

Just add below lines in starting of hadoop file.(/usr/hdp/<version>/hadoop/bin/hadoop and /usr/bin/hadoop)

echo "Sorry! hadoop command is disabled."
exit 1

But as mentioned by others in earlier comments there is no security here. Users which has access to this files can edit and use the hadoop commands.

sheshk11 · ‎08-10-2018

@Sandeep Nemuri

Does it disable Hadoop's "chmod" command?

User should be able to run command like this -- hadoop fs -ls /

but not this -- hadoop fs -chmod 777 /hdfs/path

Thanks,

Shesh

sandyy006 · ‎08-10-2018

This disables 'hadoop' command completely. Well i missed this in description. Restricting only chmod is not possible without implementing authentication/authorization AFAIK.

Cloudera Community

Support Questions

How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)