Created 05-22-2018 04:15 PM
I have a fresh installation of ambari hadoop. Configured ranger+kerberos. When I try to list a dir under a user I always get an error:
[doopy@nashira ~]$ hadoop fs -ls /user/ambari-qa/
ls: Permission denied: user=doopy, access=READ_EXECUTE, inode="/user/ambari-qa":ambari-qa:hdfs:drwxrwx---
[doopy@nashira ~]$ hadoop fs -ls /user/
Found 5 items
drwxrwx--- - ambari-qa hdfs 0 2018-05-21 17:13 /user/ambari-qa
drwxr-xr-x - hcat hdfs 0 2018-05-21 10:50 /user/hcat
drwxr-xr-x - hive hdfs 0 2018-05-21 10:50 /user/hive
drwxrwxr-x - oozie hdfs 0 2018-05-21 10:51 /user/oozie
drwxrwxr-x - spark hdfs 0 2018-05-21 10:47 /user/spark
[doopy@nashira ~]$
doopy - is a unix user. It has a policy in ranger that allow him to list that dir. I realize that this user does not have fs right to list that dir but as far I understand that ranger' policy should allow doopy to list /user/ambari-qa dir.
Please help me to find where I'm wrong?
Thanks in advance!
Created 05-22-2018 04:32 PM
@Vitaliy Kalinichenko Yes, the Ranger policy should "override" the HDFS permissions. Can you share a screenshot of the policy you have created to allows the doopy user to access /user/ambari-qa? Is the policy enabled? Has the Ranger HDFS plugin sync'd with Ranger?
Created 05-22-2018 05:34 PM
Hello Michael,
Thanks for the answer!
Please find requested screens attached. ranger-policy.pngranger-hdfs-plugin-properties.pngranger-plugin-properties.png