Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

I am creating a policy in ranger which blocks a user from accessing a afile but user can still go to that file and write into it thriough Ambari but cannot write into it if he goes through command line,

Highlighted

I am creating a policy in ranger which blocks a user from accessing a afile but user can still go to that file and write into it thriough Ambari but cannot write into it if he goes through command line,

.Does ranger follows the file system permissions

8 REPLIES 8
Highlighted

Re: I am creating a policy in ranger which blocks a user from accessing a afile but user can still go to that file and write into it thriough Ambari but cannot write into it if he goes through command line,

Super Guru

@khushi kalra Does the linux user use the same user name when logged into ambari? there has been bug fixes in ambari 2.2.0 + on impersonations. what version of ambari are you using?

Highlighted

Re: I am creating a policy in ranger which blocks a user from accessing a afile but user can still go to that file and write into it thriough Ambari but cannot write into it if he goes through command line,

HDP-2.3.4.7-4

(2.3.4.7-4)

Yes from linux also i am using the same user name

Highlighted

Re: I am creating a policy in ranger which blocks a user from accessing a afile but user can still go to that file and write into it thriough Ambari but cannot write into it if he goes through command line,

HDP-2.3.4.7-4

(2.3.4.7-4)

Yes from linux also i am using the same user name @ Sunile Manjee

Re: I am creating a policy in ranger which blocks a user from accessing a afile but user can still go to that file and write into it thriough Ambari but cannot write into it if he goes through command line,

@khushi kalra Which version of Ambari you have? and also what is value of hadoop.proxyuser.<ambari-user>.hosts and hadoop.proxyuser.<ambari-user>.groups is core-site.xml?

And best practice to leverage Ranger is to restrict everything at HDFS ACL level and then grant permissions through Ranger.

Highlighted

Re: I am creating a policy in ranger which blocks a user from accessing a afile but user can still go to that file and write into it thriough Ambari but cannot write into it if he goes through command line,

Rising Star

@khushi kalra 'Ranger will check all or give permission', you cannot block a user in Ranger but give access.

If you want to block a file from user, lock it via acl and give rest the access via Ranger.

Thanks

Highlighted

Re: I am creating a policy in ranger which blocks a user from accessing a afile but user can still go to that file and write into it thriough Ambari but cannot write into it if he goes through command line,

i am using Ambari 2.1.2.1.

<property> <name>hadoop.proxyuser.falcon.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.falcon.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.hcat.groups</name> <value>users</value> </property> <property> <name>hadoop.proxyuser.hcat.hosts</name> <value>hdpadm03,hdpadm02</value> </property> <property> <name>hadoop.proxyuser.hdfs.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.hdfs.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.hive.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.hive.hosts</name> <value>hdpadm03,hdpadm02</value> </property> <property> <name>hadoop.proxyuser.oozie.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.oozie.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.root.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.root.hosts</name> <value>*</value> </property> <property> <name>hadoop.security.auth_to_local</name> <value>DEFAULT</value> </property>

Highlighted

Re: I am creating a policy in ranger which blocks a user from accessing a afile but user can still go to that file and write into it thriough Ambari but cannot write into it if he goes through command line,

@khushi kalra All looks correct, can you try restricting access at HDFS level using ACL and then grant to userA rwx permission through Ranger on some test directory in HDFS. Then try accessing that directory through userA and userB both from Ambari File View and through CLI. Do let me know your findings. Here is a good example.

https://community.hortonworks.com/articles/10235/apache-ranger-and-hdfs.html

Highlighted

Re: I am creating a policy in ranger which blocks a user from accessing a afile but user can still go to that file and write into it thriough Ambari but cannot write into it if he goes through command line,

i am using Ambari 2.1.2.1.

<property> <name>hadoop.proxyuser.falcon.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.falcon.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.hcat.groups</name> <value>users</value> </property> <property> <name>hadoop.proxyuser.hcat.hosts</name> <value>hdpadm03,hdpadm02</value> </property> <property> <name>hadoop.proxyuser.hdfs.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.hdfs.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.hive.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.hive.hosts</name> <value>hdpadm03,hdpadm02</value> </property> <property> <name>hadoop.proxyuser.oozie.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.oozie.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.root.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.root.hosts</name> <value>*</value> </property> <property> <name>hadoop.security.auth_to_local</name> <value>DEFAULT</value> </property>

@Sunile Manjee , Pardeep

Don't have an account?
Coming from Hortonworks? Activate your account here