Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

User can view entire hdfs dir and navigate further via WebHDFS. hadoop-policy (Access Control Lists) does not seem to be applicable to WebHDFS. how to incorporate ACLs when accessed via WebHDFS?

Labels:
avatar
author-rank smayani
Super Collaborator

Created ‎10-01-2015 08:58 PM

User can view entire hdfs dir and navigate more via WebHDFS. hadoop-policy (Access Control Lists) does not seem to be applicable to WebHDFS. how to incorporate ACLs when accessed via WebHDFS?

1,753 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank cnauroth
Guru

Created ‎10-29-2015 09:03 PM

The ACLs specified in the hadoop-policy.xml file refer to Hadoop service-level authorization.

http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html

These ACLs are enforced on Hadoop RPC service calls. These ACLs are not applicable to access through WebHDFS. In order to fully control authorization to HDFS files, use HDFS permissions and ACLs.

http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html

Permissions and ACLs applied to directories and files are enforced for all means of access to the file system.

Other potential solutions are to use Knox or Ranger.

View solution in original post

1,251 Views
3 REPLIES 3

avatar
author-rank andrewg author-rank
Guru

Created ‎10-01-2015 11:31 PM

Are you referring to the hadoop-policy section in core-site and hdfs-site? These do not control security the way you'd expect. For proper ACLs on HDFS do either of these:

  1. Secure (Kerberize) your cluster. Ambari automates this. Add Ranger and enable HDFS policies.
  2. If accessing via REST API (WebHDFS) - restrict direct datanode access via a firewall and only allow access via Knox. Knox, in turn, will be able to map an incoming user into an actual role (still, full control with audit will require adding Ranger).

Andrew

1,251 Views

avatar
author-rank cnauroth
Guru

Created ‎10-29-2015 09:03 PM

The ACLs specified in the hadoop-policy.xml file refer to Hadoop service-level authorization.

http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html

These ACLs are enforced on Hadoop RPC service calls. These ACLs are not applicable to access through WebHDFS. In order to fully control authorization to HDFS files, use HDFS permissions and ACLs.

http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html

Permissions and ACLs applied to directories and files are enforced for all means of access to the file system.

Other potential solutions are to use Knox or Ranger.

1,252 Views

avatar
author-rank aervits
Master Mentor

Created ‎02-02-2016 05:24 PM

@Saumil Mayani has this been resolved? Can you accept the best answer or provide your own solution?

1,251 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements