Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Minimum ACLs to create key and write data

Highlighted

Minimum ACLs to create key and write data

Contributor

Hi,

I'm trying to understand what are the bare-minimum permissions/ACLs to be given to a user in the following cases:

Creating a Key in Ranger KMS

Writing data to an Encryption Zone

What is the significance of the nn user and what are the minimum permissions I need to define for the nn user?

1 REPLY 1

Re: Minimum ACLs to create key and write data

@Vijaya Narayana Reddy Bhoomi Reddy

Creating a Key in Ranger KMS

The user would need Ranger KeyAdmin access. This is different than Ranger Admin access to manage policies.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_Ranger_KMS_Admin_Guide/content/ch_use_ra...

Writing data to an Encryption Zone

User would need HDFS write permissions to the folder, which is designated as an encryption folder/zone. The user would also need Ranger KMS Decrypt_EEK permissions for the folder.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_hdfs_admin_tools/content/read-write-ez.h...

https://community.hortonworks.com/content/supportkb/49505/how-to-correctly-setup-the-hdfs-encryption...

What is the significance of the nn user and what are the minimum permissions I need to define for the nn user?

"The nn user, or super-user, is the user with the same identity as name node process itself. Loosely, if you started the name node, then you are the super-user. The super-user can do anything in that permissions checks never fail for the super-user. There is no persistent notion of who was the super-user; when the name node is started the process identity determines who is the super-user for now. The HDFS super-user does not have to be the super-user of the name node host, nor is it necessary that all clusters have the same super-user. Also, an experimenter running HDFS on a personal workstation, conveniently becomes that installation’s super-user without any configuration.

In addition, the administrator my identify a distinguished group using a configuration parameter. If set, members of this group are also super-users."

https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#The_...

Regular users do not need to be nn users to access the platform to perform read/write or execute jobs. They would need permissions for these actions specifically.

For Ranger KMS administration see:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/ranger-kms-admin-guide....

Don't have an account?
Coming from Hortonworks? Activate your account here