Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger policy not working

Labels:
avatar
author-rank arunpoy
Guru

Created ‎03-28-2017 10:17 AM

ranger-screenshot.pngI am using the default policy for HDFS provided after ranger installation. IT is not working as expected.

this is my hdfs permission . Attached is the screeshot of ranger policy. now if an user arun is trying to access hdfs, he shouldnt be as only hadoop,rangerlookupuser and ambari-qa have the permissions as per the policy. Am i doing anything wrong. Or how do i restrict an user named arun using ranger. any thoughts would be grear

 hadoop fs -ls /
Found 9 items
drwxrwxrwx   - yarn   hadoop          0 2017-03-14 05:48 /app-logs
drwxr-xr-x   - hdfs   hdfs            0 2017-03-14 05:45 /apps
drwxr-xr-x   - yarn   hadoop          0 2017-03-14 05:45 /ats
drwxr-xr-x   - hdfs   hdfs            0 2017-03-14 05:46 /hdp
drwxr-xr-x   - mapred hdfs            0 2017-03-14 05:46 /mapred
drwxrwxrwx   - mapred hadoop          0 2017-03-14 05:46 /mr-history
drwxr-xr-x   - hdfs   hdfs            0 2017-03-28 07:39 /ranger
drwxrwxrwx   - hdfs   hdfs            0 2017-03-28 04:54 /tmp
drwxr-xr-x   - hdfs   hdfs            0 2017-03-28 09:54 /user
4,687 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank mliem
Expert Contributor

Created ‎03-28-2017 01:56 PM

@ARUN

Hi,

HDFS permissions is managed by a combination of ranger + native HDFS permissions (POSIX). Just because you've set ranger policies for those 3 users, doesnt mean they are the only users who are allowed to access HDFS. In your case, arun is still able to access hdfs because all folders in HDFS have 'r' access for others (eg. /tmp - drwxrwxrwx)

The link below has best practicess in managing HDFS permissions with ranger and native hadoop permissions:

https://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/

One of the important steps is to change HDFS umask to 077 from 022. This will prevent any new files or folders to be accessed by anyone other than the owner.

As an example you can do the below:

As hdfs user:

1. hdfs dfs -mkdir /tmp/ranger_test

2 hdfs dfs -chmod 700 /tmp/ranger_test (folder permission becomes "drwx------" - changing umask to 077 will do this for future files)

3. switch to ARUN user

4. hdfs dfs -ls /tmp/ranger_test (you should get an error along the lines of: "

ls: Permission denied: user=arun, access=READ_EXECUTE, inode="/tmp/ranger_test":hdfs:hdfs:drwx------"

5. Add a policy in ranger to allow arun access to /tmp/ranger_test

6. try to access the /tmp/ranger_test folder with arun

Hope this helps,

View solution in original post

4,097 Views
0 Kudos
4 REPLIES 4

avatar
author-rank bpgergo author-rank
Rising Star

Created ‎03-28-2017 11:53 AM

What do you exactly mean by "if an user arun is trying to access hdfs"? Are you trying to access a file/folder with the "hadoop fs" command while you are logged into linux as user "arun"?

4,096 Views
0 Kudos

avatar
author-rank arunpoy
Guru

Created ‎03-28-2017 12:08 PM

Yes, the user arun issues a command

hadoop fs -ls /

Since ranger allows only 3 users as mentioned in the screenshot. arun should not be able to access / (in hdfs). but it is not the case

4,096 Views
0 Kudos

avatar
author-rank mliem
Expert Contributor

Created ‎03-28-2017 01:56 PM

@ARUN

Hi,

HDFS permissions is managed by a combination of ranger + native HDFS permissions (POSIX). Just because you've set ranger policies for those 3 users, doesnt mean they are the only users who are allowed to access HDFS. In your case, arun is still able to access hdfs because all folders in HDFS have 'r' access for others (eg. /tmp - drwxrwxrwx)

The link below has best practicess in managing HDFS permissions with ranger and native hadoop permissions:

https://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/

One of the important steps is to change HDFS umask to 077 from 022. This will prevent any new files or folders to be accessed by anyone other than the owner.

As an example you can do the below:

As hdfs user:

1. hdfs dfs -mkdir /tmp/ranger_test

2 hdfs dfs -chmod 700 /tmp/ranger_test (folder permission becomes "drwx------" - changing umask to 077 will do this for future files)

3. switch to ARUN user

4. hdfs dfs -ls /tmp/ranger_test (you should get an error along the lines of: "

ls: Permission denied: user=arun, access=READ_EXECUTE, inode="/tmp/ranger_test":hdfs:hdfs:drwx------"

5. Add a policy in ranger to allow arun access to /tmp/ranger_test

6. try to access the /tmp/ranger_test folder with arun

Hope this helps,

4,098 Views
0 Kudos

avatar
author-rank ssanthosh author-rank
Rising Star

Created ‎03-28-2017 06:59 PM

@ARUN HDFS acls are used as fallback when no ranger policy exist for any given HDFS resource. You may turn off xasecure.add-hadoop-authorization flag under HDFS configs to have only ranger acls.

4,097 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements