Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger authorization for HDFS - Unable to change ownership of a directory in hdfs

avatar
Master Guru

I have configured once policy for hdfs via ranger. below are the details:

1. Policy configured for user admin

2. User admin can rwx into /user/oozie

3. Point number 2 tested successfully

4. When I went to change ownership of /user/oozie to admin by user admin then it fails with below error

[admin@hdpambari ~]$ hdfs dfs -chown root /user/oozie/test1
chown: changing ownership of '/user/oozie/test1': Non-super user cannot change owner

I know that logically this is correct as user "admin" has rwx access to /user/oozie so no need to change the ownership.

Is my understanding correct ? is there any documentation that points to this ?

1 ACCEPTED SOLUTION

avatar
Rising Star
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
14 REPLIES 14

avatar
Master Guru

I do have access to hdfs user and yes we can change the ownership using

sudo -u hdfs hadoop fs -chown <some-user> /user/oozie/test1

I just wanted to ensure that if this is expected behavior that even after granting rwx via Ranger authorization we cannot change the ownership.

avatar
Rising Star

Yes, this is the expected behavior. Ranger Policies are just for the ACL and not for ownership. The right way to do out here is to use Ranger for all the ACLs. You should you want root to access /user/oozie/test1, then from Ranger Admin, you should give "root" the required access to the folder. Ideally, you shouldn't play with owner and group.

avatar
Master Guru

@bdurai - Thats correct! Thank you.

avatar
Master Mentor

@Kuldeep Kulkarni has this been resolved? Please accept best answer or provide your own solution.

avatar
Master Guru

Based on all the discussion, this is expected behavior. Even after giving full permissions via ranger, only superuser can modify ownership.