Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger policy not working

avatar

ranger-screenshot.pngI am using the default policy for HDFS provided after ranger installation. IT is not working as expected.

this is my hdfs permission . Attached is the screeshot of ranger policy. now if an user arun is trying to access hdfs, he shouldnt be as only hadoop,rangerlookupuser and ambari-qa have the permissions as per the policy. Am i doing anything wrong. Or how do i restrict an user named arun using ranger. any thoughts would be grear

 hadoop fs -ls /
Found 9 items
drwxrwxrwx   - yarn   hadoop          0 2017-03-14 05:48 /app-logs
drwxr-xr-x   - hdfs   hdfs            0 2017-03-14 05:45 /apps
drwxr-xr-x   - yarn   hadoop          0 2017-03-14 05:45 /ats
drwxr-xr-x   - hdfs   hdfs            0 2017-03-14 05:46 /hdp
drwxr-xr-x   - mapred hdfs            0 2017-03-14 05:46 /mapred
drwxrwxrwx   - mapred hadoop          0 2017-03-14 05:46 /mr-history
drwxr-xr-x   - hdfs   hdfs            0 2017-03-28 07:39 /ranger
drwxrwxrwx   - hdfs   hdfs            0 2017-03-28 04:54 /tmp
drwxr-xr-x   - hdfs   hdfs            0 2017-03-28 09:54 /user




1 ACCEPTED SOLUTION

avatar
Expert Contributor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
4 REPLIES 4

avatar
Rising Star

What do you exactly mean by "if an user arun is trying to access hdfs"? Are you trying to access a file/folder with the "hadoop fs" command while you are logged into linux as user "arun"?

avatar

Yes, the user arun issues a command

hadoop fs -ls /

Since ranger allows only 3 users as mentioned in the screenshot. arun should not be able to access / (in hdfs). but it is not the case

avatar
Expert Contributor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Rising Star

@ARUN HDFS acls are used as fallback when no ranger policy exist for any given HDFS resource. You may turn off xasecure.add-hadoop-authorization flag under HDFS configs to have only ranger acls.