Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Should we disable HDFS default ACL to enable Ranger HDFS plugin?

Labels:
avatar
author-rank ScipioTheElder
Expert Contributor

Created ‎03-09-2016 02:49 AM

In Sandbox HDP 2.3.2 / Ambar 2.1.2, Ranger is enabled in HDFS out of the box. When I tried to get ACL on CLI, I got the error as follows:

[hdfs@sandbox ~]$ hdfs dfs -getfacl /user/hdfs # file: /user/hdfs # owner: hdfs # group: hdfs getfacl: The ACL operation has been rejected. Support for ACLs has been disabled by setting dfs.namenode.acls.enabled to false.

Is it recommended to disable default ACL? If it is enabled, will we see ACL set command generating Ranger policies?

8,496 Views
4 REPLIES 4

avatar
author-rank amcbarnett
Guru

Created ‎03-09-2016 02:57 AM

In a real cluster dfs.namenode.acls.enabled is set to true.

The sandbox is configured for a wide audience to run into the least amount of problems doing the tutorials.

And no, the acl command does not generate Ranger policies.

You set the policies in Ranger and it will manage the ACLs for HDFS as the

dfs.namenode.inode.attributes.provider.class is set to

org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer

See Slides 18 and 19 in

http://www.slideshare.net/Hadoop_Summit/securing-hadoop-with-apache-ranger

If there are no Ranger policies, it falls back to HDFS ACL

5,401 Views

avatar
author-rank khushikalra_060
Rising Star

Created ‎05-02-2016 07:30 PM

but if we set the dfs.namenode.acls.enabled = true and xasecure.add-hadoop-authorization" = true then only hadoop acl will take precedence and ranger policies will be over ridden. @ Ancil McBarnett

5,401 Views
0 Kudos

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎03-09-2016 03:19 AM

Also setting "xasecure.add-hadoop-authorization" = false in ranger-hdfs-security.xml in /etc/hadoop/conf will stop the fall back to HDFS ACL.

5,401 Views

avatar
author-rank ArtiW author-rank
Rising Star

Created ‎03-10-2016 12:08 AM

I think there are some global policies created whenever we enable any Ranger plugin in Sandbox. This global policy by default blocks access to all. So for other policies to work or for it to fallback on the other authorization method, we need to disable this global policy.

Example : Like in this case, need to review if under HDFS Repo in Ranger, any global policy exists? If yes, need to disable it. In this case it will not fallback to HDFS ACLs if this global policy exists.

5,401 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements