Support Questions
Find answers, ask questions, and share your expertise

Minimum ACLs to create key and write data

Contributor

Hi,

I'm trying to understand what are the bare-minimum permissions/ACLs to be given to a user in the following cases:

Creating a Key in Ranger KMS

Writing data to an Encryption Zone

What is the significance of the nn user and what are the minimum permissions I need to define for the nn user?

1 REPLY 1

Re: Minimum ACLs to create key and write data

@Vijaya Narayana Reddy Bhoomi Reddy

Creating a Key in Ranger KMS

The user would need Ranger KeyAdmin access. This is different than Ranger Admin access to manage policies.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_Ranger_KMS_Admin_Guide/content/ch_use_ra...

Writing data to an Encryption Zone

User would need HDFS write permissions to the folder, which is designated as an encryption folder/zone. The user would also need Ranger KMS Decrypt_EEK permissions for the folder.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_hdfs_admin_tools/content/read-write-ez.h...

https://community.hortonworks.com/content/supportkb/49505/how-to-correctly-setup-the-hdfs-encryption...

What is the significance of the nn user and what are the minimum permissions I need to define for the nn user?

"The nn user, or super-user, is the user with the same identity as name node process itself. Loosely, if you started the name node, then you are the super-user. The super-user can do anything in that permissions checks never fail for the super-user. There is no persistent notion of who was the super-user; when the name node is started the process identity determines who is the super-user for now. The HDFS super-user does not have to be the super-user of the name node host, nor is it necessary that all clusters have the same super-user. Also, an experimenter running HDFS on a personal workstation, conveniently becomes that installation’s super-user without any configuration.

In addition, the administrator my identify a distinguished group using a configuration parameter. If set, members of this group are also super-users."

https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#The_...

Regular users do not need to be nn users to access the platform to perform read/write or execute jobs. They would need permissions for these actions specifically.

For Ranger KMS administration see:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/ranger-kms-admin-guide....