Re: Ranger does not work in fresh installation of ...

vitaliy_kalinic · ‎05-22-2018

I have a fresh installation of ambari hadoop. Configured ranger+kerberos. When I try to list a dir under a user I always get an error:

[doopy@nashira ~]$ hadoop fs -ls /user/ambari-qa/
ls: Permission denied: user=doopy, access=READ_EXECUTE, inode="/user/ambari-qa":ambari-qa:hdfs:drwxrwx---
[doopy@nashira ~]$ hadoop fs -ls /user/
Found 5 items
drwxrwx--- - ambari-qa hdfs 0 2018-05-21 17:13 /user/ambari-qa
drwxr-xr-x - hcat hdfs 0 2018-05-21 10:50 /user/hcat
drwxr-xr-x - hive hdfs 0 2018-05-21 10:50 /user/hive
drwxrwxr-x - oozie hdfs 0 2018-05-21 10:51 /user/oozie
drwxrwxr-x - spark hdfs 0 2018-05-21 10:47 /user/spark
[doopy@nashira ~]$

doopy - is a unix user. It has a policy in ranger that allow him to list that dir. I realize that this user does not have fs right to list that dir but as far I understand that ranger' policy should allow doopy to list /user/ambari-qa dir.

Please help me to find where I'm wrong?

Thanks in advance!

myoung · ‎05-22-2018

@Vitaliy Kalinichenko Yes, the Ranger policy should "override" the HDFS permissions. Can you share a screenshot of the policy you have created to allows the doopy user to access /user/ambari-qa? Is the policy enabled? Has the Ranger HDFS plugin sync'd with Ranger?

vitaliy_kalinic · ‎05-22-2018

Hello Michael,

Thanks for the answer!

Please find requested screens attached. ranger-policy.png ranger-hdfs-plugin-properties.png ranger-plugin-properties.png

Ranger does not work in fresh installation of ambari hadoop...

Ranger does not work in fresh installation of ambari hadoop...

Re: Ranger does not work in fresh installation of ambari hadoop...

Re: Ranger does not work in fresh installation of ambari hadoop...