Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger policies alongside Hadoop permissions

Highlighted

Ranger policies alongside Hadoop permissions

New Contributor

Hi,

I am trying to understand Ranger and its role in HDP. I found the below statement mentioned in Ranger documentation.

For an effective management of the policies via Ranger, we recommand that permissions be created at the Ranger Policy Manager, and to have very restrictive permissions at the HDFS level.

  • Does this mean that we need to have the most restrictive permissions configured on Hadoop using ACLs and then relax the permissions through Ranger policies for HDFS service?
  • What happens with other services like Hive, YARN and HBase etc if permissions are defined at the component level rather than Ranger?

Thanks

3 REPLIES 3

Re: Ranger policies alongside Hadoop permissions

@Greenhorn Techie

Ranger is a plugin based authorization model. That means that each of the projects that supports Ranger has a "plugin" that interfaces with the Ranger policy engine to provide an interface from the policies administered by Ranger to the authorization APIs for each component. The Ranger policy permissions will override the HDFS file permissions, but work in conjunction with HDFS ACLs (as the plugin provides an interface between the HDFS ACLs and the Ranger policies). What the statement you referred to means is that you should set permissions in HDFS to the most restrictive possible (e.g. hdfs dfs -chmod 600 <file>) and then assign permissions via Ranger. HDFS will look to Ranger for a policy allowing or denying the user access to the file and use that policy to determine authorization.

The plugins for the other components work similarly, however, you will most likely want to manage all of the authorization with Ranger since it provides a single pane of glass to manage the various authorization APIs for each component.

Re: Ranger policies alongside Hadoop permissions

Expert Contributor
@Greenhorn Techie

The phrase of the documentation means that at HDFS level, you go as restrictive as possible. You can change the default mask to 022 or 077 based on your cluster requirements. Give rw default permission only to the owner. For every directory existing on HDFS, or which you plan to use, define a policy in Ranger so access is controlled and everything is through Ranger.

Re: Ranger policies alongside Hadoop permissions

Rising Star