Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger authorization for HDFS - Unable to change ownership of a directory in hdfs

Labels:
avatar
author-rank KuldeepK author-rank
Master Guru

Created ‎12-16-2015 04:57 AM

I have configured once policy for hdfs via ranger. below are the details:

1. Policy configured for user admin

2. User admin can rwx into /user/oozie

3. Point number 2 tested successfully

4. When I went to change ownership of /user/oozie to admin by user admin then it fails with below error

[admin@hdpambari ~]$ hdfs dfs -chown root /user/oozie/test1
chown: changing ownership of '/user/oozie/test1': Non-super user cannot change owner

I know that logically this is correct as user "admin" has rwx access to /user/oozie so no need to change the ownership.

Is my understanding correct ? is there any documentation that points to this ?

17,388 Views
1 ACCEPTED SOLUTION

avatar
author-rank bdurai
Rising Star

Created ‎12-17-2015 03:29 AM

@Kuldeep Kulkarni, how are you setting user admin as administrator? Is the user admin in dfs.cluster.administrators?

Do you have access to user "hdfs"?

View solution in original post

11,031 Views
14 REPLIES 14

avatar
author-rank KuldeepK author-rank
Master Guru

Created ‎12-17-2015 04:42 AM

I do have access to hdfs user and yes we can change the ownership using

sudo -u hdfs hadoop fs -chown <some-user> /user/oozie/test1

I just wanted to ensure that if this is expected behavior that even after granting rwx via Ranger authorization we cannot change the ownership.

4,910 Views

avatar
author-rank bdurai
Rising Star

Created ‎12-17-2015 05:02 AM

Yes, this is the expected behavior. Ranger Policies are just for the ACL and not for ownership. The right way to do out here is to use Ranger for all the ACLs. You should you want root to access /user/oozie/test1, then from Ranger Admin, you should give "root" the required access to the folder. Ideally, you shouldn't play with owner and group.

4,910 Views

avatar
author-rank KuldeepK author-rank
Master Guru

Created ‎12-17-2015 11:49 AM

@bdurai - Thats correct! Thank you.

4,910 Views

avatar
author-rank aervits
Master Mentor

Created ‎02-02-2016 05:52 PM

@Kuldeep Kulkarni has this been resolved? Please accept best answer or provide your own solution.

4,910 Views
0 Kudos

avatar
author-rank KuldeepK author-rank
Master Guru

Created ‎02-03-2016 02:04 AM

Based on all the discussion, this is expected behavior. Even after giving full permissions via ranger, only superuser can modify ownership.

4,910 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements