Support Questions

Find answers, ask questions, and share your expertise

How to restrict a hadoop user to use a hadoop commands like "chmod, chown or rm" ? (Without using ACLs, Ranger or Kerberos)

avatar
Rising Star

Hi,

I'm looking for a possible way to restrict user to use some Hadoop commands. In other words, how to disable a Hadoop command for particular users? Below is the scenario :-

[foo@bdlhdptst01 ~]$ whoami 
foo 
[foo@bdlhdptst01 ~]$ hadoop fs -ls /user/foo 
Found 1 item 
-rwxrwxrwx 3 foo hadoop          0 2018-05-21 05:56 /user/foo/test.txt 

For example, I don't want a user "foo" to run the below "chmod" command which he owns (shown above)

[foo@bdlhdptst01 ~]$ hadoop fs -chmod 700 /user/foo/test.txt 

If we can disable a command in OS level (Linux) for a user, I believe we can disable the same in Hadoop as well. Any suggestions would be highly appreciated!

Note: Without using ACLs, Ranger or Kerberos

Regards,

Shesh Kumar

9 REPLIES 9

avatar
Super Guru

@Shesh Kumar,

You can use Ranger Authorizer to achieve this. You need to create policy with deny conditions in order to make this work.

https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+excludes+in+Ranger+policies

.

Please "Accept" the answer if this helps.

.

-Aditya

avatar
Rising Star

Hi Adithya,

Thanks for the comment. But we are not using Kerberos or Ranger here.

Our cluster is solely meant for POC purpose (3rd party hadoop applications).

I'm looking for a solution without ACLs, Ranger or Kerberos. Will update my question to be more specific.

Thanks,

Shesh Kumar

avatar
Guru

What are you trying to achieve with this? If it is a non-kerberos cluster, if you have network access to the cluster, it will still leave holes for a user to go in as any other user. Just blocking hadoop fs access is not possible (unless you block full hadoop command) and it is not going to help

You need to go with Kerberos for security and authentication AND then ranger or ACLs for authorization.

avatar
Rising Star

Hi Ravi,

Thanks for the comment. But we are not using Kerberos or Ranger here.

Our cluster is solely meant for POC purpose (3rd party hadoop applications).

I'm looking for a solution without ACLs, Ranger or Kerberos. Will update my question to be more specific.

Thanks,

Shesh Kumar

avatar
Contributor

I use freeIPA for the hadoop user auth. It is very easy to do such things in freeIPA.

You can refer example-13 of this document https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/defining-sudorules.html

Example 13.2. Allowing and Denying Commands

The sudo rule can grant access or deny access to commands. For example, this rule would allow read access to files but prevent editing:

$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/less" readfiles
$ ipa sudorule-add-allow-command --sudocmd "/usr/bin/tail" readfiles
$ ipa sudorule-add-deny-command --sudocmd "/usr/bin/vim" readfiles

avatar
Rising Star

Hi Mahapatra,

Any better suggestions? As we do not use freeIPA?

If we can disable a command in OS level (Linux) I believe we can disable the same in Hadoop.

Thanks,

Shesh Kumar

avatar

@Shesh Kumar

Just add below lines in starting of hadoop file.(/usr/hdp/<version>/hadoop/bin/hadoop and /usr/bin/hadoop)

echo "Sorry! hadoop command is disabled."
exit 1 

But as mentioned by others in earlier comments there is no security here. Users which has access to this files can edit and use the hadoop commands.

avatar
Rising Star

@Sandeep Nemuri

Does it disable Hadoop's "chmod" command?

User should be able to run command like this -- hadoop fs -ls /

but not this -- hadoop fs -chmod 777 /hdfs/path

Thanks,

Shesh

avatar

This disables 'hadoop' command completely. Well i missed this in description. Restricting only chmod is not possible without implementing authentication/authorization AFAIK.