09-19-2018 02:42 AM
I ask here for an advice on hue configuration.
We are developing a KDC security-enabled cluster with multiple users belonging to various groups.
Currently we rely heavily on Hue and Oozie workflows that are designed from Hue.
Users create their workflows under their user in Hue. Workflows of a particular user are not accessible to others from the list of workflows, unless explicitly shared, which is fine.
However there are problems we'd like to solve:
1. Other users still can access workspaces of those workflows via HDFS, either with Hue's "File browser" or directly via hdfs command. Particulary from Hue, seems that anyone can access workspace directory and even open its files, even if I explicitly change the dir and files permission to 600. (See screenshot attached)
2. The properties of the launched workflows can be seen by other users in the "Configuration" tab, regardless of their permissions on the workflow. Can those values be hidden somehow?
Thanks in advance!
09-20-2018 12:10 PM
09-27-2018 06:11 AM
Thank you for your response. We are not using Sentry.
The output of getfacl is:
hdfs dfs -getfacl /user/hue/oozie/workspaces/hue-oozie-1538051691.26
# file: /user/hue/oozie/workspaces/hue-oozie-1538051691.26
# owner: SVC_CTOS_SENTILO
# group: hue
getfacl: The ACL operation has been rejected. Support for ACLs has been disabled by setting dfs.namenode.acls.enabled to false.
Incidently, I am even able to edit the file that is at 0600, being owned by another user.
I also created a 0600 folder and inside a 0600 file. Same behaviour.
Both users are in hadoop and hue group, but that shouldn't be a problem, since as far as I understand it, 0600 means only the owner of the file should be able to read an write, and nobody else.
The owner of the file is SVC_CTOS_SENTILO, from Hue as well from hdfs dfs CLI command.