Created 12-16-2015 04:57 AM
I have configured once policy for hdfs via ranger. below are the details:
1. Policy configured for user admin
2. User admin can rwx into /user/oozie
3. Point number 2 tested successfully
4. When I went to change ownership of /user/oozie to admin by user admin then it fails with below error
[admin@hdpambari ~]$ hdfs dfs -chown root /user/oozie/test1 chown: changing ownership of '/user/oozie/test1': Non-super user cannot change owner
I know that logically this is correct as user "admin" has rwx access to /user/oozie so no need to change the ownership.
Is my understanding correct ? is there any documentation that points to this ?
Created 12-17-2015 03:29 AM
@Kuldeep Kulkarni, how are you setting user admin as administrator? Is the user admin in dfs.cluster.administrators?
Do you have access to user "hdfs"?
Created 12-16-2015 04:59 AM
Created 12-16-2015 09:38 AM
Just a question for clarification: Can you do a hdfs dfs -ls /user/oozie? If the test1 folder is not owned by user admin ( he only has rwx but is not the owner ), then he cannot change the ownership either. That is the same in Linux. I suppose this is not the case here but I just wanted to clarify
Created 12-16-2015 09:43 AM
Agree, you have to be a superuser or the owner to change the owner of a folder. Also see this FSDirAttrOp.java#L73
Created 12-17-2015 02:59 AM
@Benjamin Leonhardi - Yes I can do dfs -ls /user/oozie, I can read each and every file, I can write into it. You are correct! its same as Unix.
@Jonas Straub - Thank you for the link. I think only superuser can change the ownership ( current owner also cannot change it)
Unix:
-rwxrwxrwx 1 kkulkarni staff 39441 Dec 17 08:17 test KKs-Mac:~ kkulkarni$ KKs-Mac:~ kkulkarni$ chown root test chown: test: Operation not permitted
KKs-Mac:~ kkulkarni$ sudo chown root test KKs-Mac:~ kkulkarni$ ls -lrt test -rwxrwxrwx 1 root staff 39441 Dec 17 08:17 test KKs-Mac:~ kkulkarni$
Same is the case for hdfs.
Created 12-17-2015 03:08 AM
Created 12-17-2015 03:10 AM
Based on the output in the question , you are logged in as admin user
[admin@hdpambari ~]$ hdfs dfs -chown root /user/oozie/test1
test1 is owned by some other user?
Created 12-17-2015 04:39 AM
@Neeraj Sabharwal - its owned by admin only
[root@hdpambari yarn]# hadoop fs -ls /user/oozie/test1 -rw-r--r-- 3 admin hadoop 0 2015-12-09 21:47 /user/oozie/test1 [root@hdpambari yarn]#
Created 12-17-2015 03:29 AM
@Kuldeep Kulkarni, how are you setting user admin as administrator? Is the user admin in dfs.cluster.administrators?
Do you have access to user "hdfs"?
Created 12-17-2015 04:40 AM
@bdurai - nopes I have just configured ranger policy and given rwx access to admin user for /user/oozie (recursively)
Created 12-17-2015 04:42 AM
I do have access to hdfs user and yes we can change the ownership using
sudo -u hdfs hadoop fs -chown <some-user> /user/oozie/test1
I just wanted to ensure that if this is expected behavior that even after granting rwx via Ranger authorization we cannot change the ownership.
Created 12-17-2015 05:02 AM
Yes, this is the expected behavior. Ranger Policies are just for the ACL and not for ownership. The right way to do out here is to use Ranger for all the ACLs. You should you want root to access /user/oozie/test1, then from Ranger Admin, you should give "root" the required access to the folder. Ideally, you shouldn't play with owner and group.
Created 12-17-2015 11:49 AM
@bdurai - Thats correct! Thank you.
Created 02-02-2016 05:52 PM
@Kuldeep Kulkarni has this been resolved? Please accept best answer or provide your own solution.
Created 02-03-2016 02:04 AM
Based on all the discussion, this is expected behavior. Even after giving full permissions via ranger, only superuser can modify ownership.