Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

User can view entire hdfs dir and navigate further via WebHDFS. hadoop-policy (Access Control Lists) does not seem to be applicable to WebHDFS. how to incorporate ACLs when accessed via WebHDFS?

Labels:
avatar
author-rank smayani
Super Collaborator

Created ‎10-01-2015 08:58 PM

User can view entire hdfs dir and navigate more via WebHDFS. hadoop-policy (Access Control Lists) does not seem to be applicable to WebHDFS. how to incorporate ACLs when accessed via WebHDFS?

1,944 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank cnauroth
Guru

Created ‎10-29-2015 09:03 PM

The ACLs specified in the hadoop-policy.xml file refer to Hadoop service-level authorization.

http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html

These ACLs are enforced on Hadoop RPC service calls. These ACLs are not applicable to access through WebHDFS. In order to fully control authorization to HDFS files, use HDFS permissions and ACLs.

http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html

Permissions and ACLs applied to directories and files are enforced for all means of access to the file system.

Other potential solutions are to use Knox or Ranger.

View solution in original post

1,442 Views
0
3 REPLIES 3

avatar
author-rank andrewg author-rank
Guru

Created ‎10-01-2015 11:31 PM

Are you referring to the hadoop-policy section in core-site and hdfs-site? These do not control security the way you'd expect. For proper ACLs on HDFS do either of these:

  1. Secure (Kerberize) your cluster. Ambari automates this. Add Ranger and enable HDFS policies.
  2. If accessing via REST API (WebHDFS) - restrict direct datanode access via a firewall and only allow access via Knox. Knox, in turn, will be able to map an incoming user into an actual role (still, full control with audit will require adding Ranger).

Andrew

1,442 Views

avatar
author-rank cnauroth
Guru

Created ‎10-29-2015 09:03 PM

The ACLs specified in the hadoop-policy.xml file refer to Hadoop service-level authorization.

http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html

These ACLs are enforced on Hadoop RPC service calls. These ACLs are not applicable to access through WebHDFS. In order to fully control authorization to HDFS files, use HDFS permissions and ACLs.

http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html

Permissions and ACLs applied to directories and files are enforced for all means of access to the file system.

Other potential solutions are to use Knox or Ranger.

1,443 Views
0

avatar
author-rank aervits
Master Mentor

Created ‎02-02-2016 05:24 PM

@Saumil Mayani has this been resolved? Can you accept the best answer or provide your own solution?

1,442 Views
0 Kudos
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements