Hi community, I am running HDP 2.5.0 in a kerberized cluster including Ranger and Ambari Infra. Ambari Infra is also kerberized and authorization works fine. Now, I would like to secure the Audit Log in Ambari Infra from unintended alteration by using authorization. As Ranger supports authorization: Is there a straightforward way to manage Ambari Infra authorization on SolR collections using Ranger or some other Authorization mechanism? Thank you! ... View more

Hi community, a security related question: I got two clusters in my environment. Both are kerberized and connected to the same Active directory as KDC. Let's look at technical users now: For the hive-user for instance I created a keytab both on the first and second cluster: hive/somehostinclusterA@REALM.COM hive/somehostinclusterB@REALM.COM Now imagine that the first cluster (A) is run by development with moderate rules, while cluster B is run in production with strict rules. When somebody now steals a keytab from cluster A, there is a security threat: Not only can he access cluster A, but he can also access cluster B (=production), which is bad. Why? Because the auth_to_local rules just convert both hive/somehostinclusterA@REALM.COM and hive/somehostinclusterB@REALM.COM to hive, who is Superuser for the Hive Service in both clusters. Is this a known security problem and are there guidelines on how to fix it. I thought about making complex auth_to_local rules, but this seems to be unoperatable. ... View more

Hi community, I am running a kerberized HDP 2.5 cluster with Ranger policies activated for everything. I have synced Ranger with LDAP and Linux with AD to have consistent group memberships. With SPNEGO, the access to the ResourceManager ist also a matter of authorization. Only users with administer_queue rights on a queue can view details of applications in that queue. My problem is: When creating Ranger policies for YARN queues, rights based on groups are not respected in the RM WebUI. Only user-based rights are accepted. The group membership is, however, shown correctly in Ranger. Do you have any idea, how to ensure that YARN uses the correct groups for granting rights? Thanks! ... View more

Hi community, I am searching for a documentation that describes, how Permissions to use Ranger are configured (in Ranger in Settings -> Permissions). In detail, two questions are very relevant for me: - What does each level of Permissions mean in detail? - How are Users granted permissions automatically? Is there a way to change this, e.g. to stop Ranger from granting all new users permissions on "Resource Based Policies" or "Audit"? Thanks for your kind help referencing any valuable sources or answering those questions. ... View more