Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger auth error in hdfs

Solved Go to solution
Highlighted

Ranger auth error in hdfs

Rising Star

I meet some problem in ranger authentication. Here is my step to represent it:

1. I create one account in ranger, where the username is test01

2. I set it belong to a group test_group01

3. In the ranger hdfs policy, I set test_group01 has access to the directory /data/

If it runs normally, the test01 user should have the access to /data/ from the privilege inheriting from the group "test_group01". But in practice, it cannot access the directory /data. However if I specify the 'select user' with the test01, it works well.

So it seems that specifying the group in policy doesn't work, and specifying the permitted user is fine.

How to solve it?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Ranger auth error in hdfs

Hi @Junfeng Chen
Yes, in both cases the namenodes still need to be able to look up the user and find the groups, after that ranger can take care of the authorization. You could use ranger group sync to pull this sort of information into ranger automatically;
https://hortonworks.com/apache/ranger/#section_2

PS. If your question has been answered, please take a moment to mark the answer as accepted. This will make it easy for folks landing on this page to find the solution quickly!

View solution in original post

6 REPLIES 6
Highlighted

Re: Ranger auth error in hdfs

Hi @Junfeng Chen

Is your namenode able to resolve the same group/user mapping? Is your test_group01 an internal or external group in ranger? Did you create the group on the OS end and add the user there? Below is an example of the behaviour with an external group, which exists only on my rangerhost;

[root@RANGERHOST]# groupadd test_group01
[root@RANGERHOST]# useradd test01
[root@RANGERHOST]# usermod -a -G test_group01 test01

[hdfs@RANGERHOST]$ hdfs dfs -mkdir /testpath
[hdfs@RANGERHOST]$ hdfs dfs -chmod 000 /testpath

followed by -> add new policy in ranger web UI using ONLY test_group01

86509-screen-shot-2018-08-15-at-095450.png

this you might expect to work, but I'd see;

[test01@RANGERHOST]$ hdfs dfs -ls /testpath
ls: Permission denied: user=test01, access=READ_EXECUTE, inode="/testpath":hdfs:hdfs:d---------

After adding the local group and member to the NameNode;

[root@NN]# groupadd test_group01
[root@NN]# useradd test01
[root@NN]# usermod -a -G test_group01 test01

It's working now;

[test01@RANGERHOST]$ hdfs dfs -put testfile /testpath
[test01@RANGERHOST]$ hdfs dfs -ls /testpath
Found 1 items
-rw-r--r--   3 test01 hdfs          0 2018-08-15 09:04 /testpath/testfile

Re: Ranger auth error in hdfs

Rising Star

Hi, @Jonathan Sneep Thanks for your response.

Actually both user and group are created in Ranger, which are internal for ranger

Highlighted

Re: Ranger auth error in hdfs

Hi @Junfeng Chen

The namenode still has to be able to map the user to the group either locally (/etc/passwd) or from AD/LDAP. Keep in mind ranger is for authorization, not authentication. Did you verify that the OS of your namenode is able to resolve the user and the groups of the user?

Highlighted

Re: Ranger auth error in hdfs

Rising Star

Hi @Jonathan Sneep

Not yet. So I need to add the user the related group on my namenode host manually?

Highlighted

Re: Ranger auth error in hdfs

Hi @Junfeng Chen
Yes, in both cases the namenodes still need to be able to look up the user and find the groups, after that ranger can take care of the authorization. You could use ranger group sync to pull this sort of information into ranger automatically;
https://hortonworks.com/apache/ranger/#section_2

PS. If your question has been answered, please take a moment to mark the answer as accepted. This will make it easy for folks landing on this page to find the solution quickly!

View solution in original post

Highlighted

Re: Ranger auth error in hdfs

Rising Star

Hi @Jonathan Sneep

Fine. thanks. I have added the user and group info to my namenode. So the typical way to adding the new user or group is creating the user and group on namenode, and waiting for usersync to sync the user info to Ranger?

So if I don't care the group policy, creating internal user in ranger and specifying them in allow conditions also works? At least it seems work in practice..

Don't have an account?
Coming from Hortonworks? Activate your account here