Created 08-15-2018 07:55 AM
I meet some problem in ranger authentication. Here is my step to represent it:
1. I create one account in ranger, where the username is test01
2. I set it belong to a group test_group01
3. In the ranger hdfs policy, I set test_group01 has access to the directory /data/
If it runs normally, the test01 user should have the access to /data/ from the privilege inheriting from the group "test_group01". But in practice, it cannot access the directory /data. However if I specify the 'select user' with the test01, it works well.
So it seems that specifying the group in policy doesn't work, and specifying the permitted user is fine.
How to solve it?
Thanks!
Created 08-16-2018 06:29 AM
Hi @Junfeng Chen
Yes, in both cases the namenodes still need to be able to look up the user and find the groups, after that ranger can take care of the authorization. You could use ranger group sync to pull this sort of information into ranger automatically;
https://hortonworks.com/apache/ranger/#section_2
PS. If your question has been answered, please take a moment to mark the answer as accepted. This will make it easy for folks landing on this page to find the solution quickly!
Created on 08-15-2018 09:06 AM - edited 08-17-2019 08:37 PM
Is your namenode able to resolve the same group/user mapping? Is your test_group01 an internal or external group in ranger? Did you create the group on the OS end and add the user there? Below is an example of the behaviour with an external group, which exists only on my rangerhost;
[root@RANGERHOST]# groupadd test_group01 [root@RANGERHOST]# useradd test01 [root@RANGERHOST]# usermod -a -G test_group01 test01 [hdfs@RANGERHOST]$ hdfs dfs -mkdir /testpath [hdfs@RANGERHOST]$ hdfs dfs -chmod 000 /testpath
followed by -> add new policy in ranger web UI using ONLY test_group01
this you might expect to work, but I'd see;
[test01@RANGERHOST]$ hdfs dfs -ls /testpath ls: Permission denied: user=test01, access=READ_EXECUTE, inode="/testpath":hdfs:hdfs:d---------
After adding the local group and member to the NameNode;
[root@NN]# groupadd test_group01 [root@NN]# useradd test01 [root@NN]# usermod -a -G test_group01 test01
It's working now;
[test01@RANGERHOST]$ hdfs dfs -put testfile /testpath [test01@RANGERHOST]$ hdfs dfs -ls /testpath Found 1 items -rw-r--r-- 3 test01 hdfs 0 2018-08-15 09:04 /testpath/testfile
Created 08-15-2018 09:39 AM
Hi, @Jonathan Sneep Thanks for your response.
Actually both user and group are created in Ranger, which are internal for ranger
Created 08-15-2018 10:44 AM
The namenode still has to be able to map the user to the group either locally (/etc/passwd) or from AD/LDAP. Keep in mind ranger is for authorization, not authentication. Did you verify that the OS of your namenode is able to resolve the user and the groups of the user?
Created 08-16-2018 01:31 AM
Hi @Jonathan Sneep
Not yet. So I need to add the user the related group on my namenode host manually?
Created 08-16-2018 06:29 AM
Hi @Junfeng Chen
Yes, in both cases the namenodes still need to be able to look up the user and find the groups, after that ranger can take care of the authorization. You could use ranger group sync to pull this sort of information into ranger automatically;
https://hortonworks.com/apache/ranger/#section_2
PS. If your question has been answered, please take a moment to mark the answer as accepted. This will make it easy for folks landing on this page to find the solution quickly!
Created 08-16-2018 07:15 AM
Fine. thanks. I have added the user and group info to my namenode. So the typical way to adding the new user or group is creating the user and group on namenode, and waiting for usersync to sync the user info to Ranger?
So if I don't care the group policy, creating internal user in ranger and specifying them in allow conditions also works? At least it seems work in practice..