Created 05-29-2016 09:30 AM
Hi Team,
I have to implement Ranger on my dev HDP. 2.3 . Before i need some information. Please provide answers below.
1, What should be the permission for my data directory or file system
eg, drwxrwx--- appwowner appgroup /data/ ---- is this the correct way.. or only appowner show have fulll permission and for others and group is restricted ?
2) What is the recommended file system that ranger should maintain and what is the recommended file system that ACL should maintain ?
3) what if i have ACL restricted for a appowner and in ranger it is granted ?
4) If i restrict a particular directory for a user. Will that user can access that directory through HIVE or HBASE ?
5) what is the recommended permission that we need to set to handle by ranger
Ranger version : 0.5.0
Created 05-30-2016 05:59 AM
Please find below reply inline -
1, What should be the permission for my data directory or file system
eg, drwxrwx--- appwowner appgroup /data/ ---- is this the correct way.. or only appowner show have fulll permission and for others and group is restricted ?
--> If you are planing to use Ranger to centralize governance for all access then you should set permission recursively to 700 from cli
2) What is the recommended file system that ranger should maintain and what is the recommended file system that ACL should maintain ?
-> There is no recommendation given as such. But from my experience you should try to govern everything from single console. ie Ranger, else it will difficult for you to manage when your environment grows bigger n bigger.
You do have an option to keep Application data[user app dir data, hive external tables,etc..] managed by Ranger and hadoop hdfs data[hive warehouse dir] by acls.
3) what if i have ACL restricted for a appowner and in ranger it is granted ?
--> It a basic fundamentals of HDP that If you have Ranger setup in your environment, Ranger policies will take first precedence and then acl's.
So for example - userA has a directory which has policy in ranger which mentions no write access on the dir , but from cli assume it has permission of 777 then, whenever the user tries to create a subdir inside the dir it will first check for ranger policy and if the ranger policy is not allowing then it will check for HDFS POXIS. Chk this link for more details -
http://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/
4) If i restrict a particular directory for a user. Will that user can access that directory through HIVE or HBASE ?
--> Its all up to you how you manage the policy and from where [ie. Ranger / Acls]
5) what is the recommended permission that we need to set to handle by ranger
--> Already replied in point 1.
Created 05-29-2016 05:15 PM
Hi @suresh krish,
Here are answers to your questions:
1) The absolute permission of your files is independent from Ranger. You should decide what permission to use for your data directory. This will depends on the nature of your data, sharing needs, security policy, etc. For recommendation on Posix permission to use with Ranger, see below.
2) I am not sure I fully understand the question. If the question is how to position the permissions between Posix and Ranger here's some information you need to know:
Ranger plugin for HDFS is special. It checks for Ranger policies and if a policy exists, access is granted to user. If a policy doesn’t exist in Ranger, then the native permissions model in HDFS is used (POSIX or HDFS ACL). This point may creates some confusion in the beginning. Think about it as: I grant user/group X permission Y on a file Z. Ranger plugin for Hive works differently and can forbid access to a table/database.
As a consequence of this, the recommendation is to have a restrictive permissions in HDFS and grant access to authorized users in Ranger. This way, you managing security will be easier, and centralized in ranger.
3) User will have access. Ranger policies have priority (see point 2). Ranger checks and finds a policy that grants access hence ACL will be ignored.
4) No. To access data in Hive you need to have the permission to access the table in Hive and the folder in HDFS. This is the case when you use Ranger or classical Hadoop permissions tools.
5) see answer 2
Created 05-29-2016 07:54 PM
1) You can use base permissions on HDFS and give any additional permissions using ranger. So, in case of /data, you can start with 750, and if anyone in the group needs write permission, you can add it using a ranger policy.
3) User will have access. As I said in 1, you can put minimum permissions in HDFS and add additional permissions using ranger.
4) You can still access this directly if Hive has doAs and you are accessing from hiveserver2. This is the reason why you may have to duplicate access restrictions both on HDFS and hive columns if you have access from Hive CLI and Hiveserver2. Almost similar case with hbase.
5) As in 1, you can put minimal permission on HDFS and then add additional permissions using ranger. Which means, you could go with 700 too, but that will add more overhead on creating policies.
Created 05-30-2016 05:59 AM
Please find below reply inline -
1, What should be the permission for my data directory or file system
eg, drwxrwx--- appwowner appgroup /data/ ---- is this the correct way.. or only appowner show have fulll permission and for others and group is restricted ?
--> If you are planing to use Ranger to centralize governance for all access then you should set permission recursively to 700 from cli
2) What is the recommended file system that ranger should maintain and what is the recommended file system that ACL should maintain ?
-> There is no recommendation given as such. But from my experience you should try to govern everything from single console. ie Ranger, else it will difficult for you to manage when your environment grows bigger n bigger.
You do have an option to keep Application data[user app dir data, hive external tables,etc..] managed by Ranger and hadoop hdfs data[hive warehouse dir] by acls.
3) what if i have ACL restricted for a appowner and in ranger it is granted ?
--> It a basic fundamentals of HDP that If you have Ranger setup in your environment, Ranger policies will take first precedence and then acl's.
So for example - userA has a directory which has policy in ranger which mentions no write access on the dir , but from cli assume it has permission of 777 then, whenever the user tries to create a subdir inside the dir it will first check for ranger policy and if the ranger policy is not allowing then it will check for HDFS POXIS. Chk this link for more details -
http://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/
4) If i restrict a particular directory for a user. Will that user can access that directory through HIVE or HBASE ?
--> Its all up to you how you manage the policy and from where [ie. Ranger / Acls]
5) what is the recommended permission that we need to set to handle by ranger
--> Already replied in point 1.