Member since
09-28-2015
14
Posts
26
Kudos Received
5
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
2719 | 12-17-2015 08:45 PM | |
17274 | 11-20-2015 04:32 PM | |
5716 | 10-26-2015 04:17 PM | |
2338 | 09-30-2015 05:03 PM | |
1057 | 09-28-2015 10:00 PM |
03-10-2017
02:29 PM
2 Kudos
Q. What is Delegated Admin Privilege? Instead of having a single central authority creating security policies for the entire Hadoop resources, Apache Ranger provides a feature, “Delegated-Admin” to delegate the security policy management to other resource administrators. For example, the permissions associated with hdfs:/app/finance folder and all its contents can be entirely managed finance-admin group by granting “delegated-admin” permission to finance-admin group on “hdfs:/app/finance with recursive=true” In simple-terms, Delegated-Admin permission allows other resource administrators to manage permissions for their managed-resources. Q. What are the roles assigned to a user within ranger-ui? In Apache Ranger, an user can be set with one of the following role: ADMIN, USER, KEYADMIN. When a user is assigned with KEYADMIN role, he/she will have the ability to manage all ranger-kms policies and kms-audit information within the ranger-admin UI. Also, he/she can provide “delegate-admin” privileges for managing a set of keys to other users/groups by creating a ranger-kms policy. When a user is granted with “delegated-admin” privileges for a set of keys, the user can manage permissions associated with any keys that belong to the key set for which he/she has “delegated-admin” privilege. When an user is assigned with ADMIN role, he/she will have the ability to manage all non-kms ranger policies and non-kms audit information within the ranger-admin UI. Also, he/she can provide “delegate-admin” privileges for managing a set of resources to other users/groups by creating a ranger policy. When a user is granted with “delegated-admin” privileges for a set of resources, the user can manage permissions associated with any resource that belongs to the resource set for which he/she has “delegated-admin” privilege. When an user is assigned with USER role, he/she will have the ability to manage only resources/key for which he/she has been granted with “delegated-admin” privilege. Q. What is the difference between ROLE vs “Delegated-Admin privilege”? ROLE is assigned for a specific user by the Administrator. Delegated-Admin Privilege is assigned on a specific set of resources for a specific set of users/groups by a person who already has Delegated-Admin privilege on the specific set of resources.
... View more
Labels:
12-06-2016
09:35 PM
These ranger-admin sessions are created by "download policy actions" performed by RangerPlugins in NameNode, HiveServer process. They are authenticating to ranger-admin process using their service kerberos credentials (hdfs, hive).
... View more
01-22-2016
03:40 PM
@Hammad Ali : Is this a secured cluster ? Storm authorization will work with secured cluster only.
... View more
01-05-2016
10:37 PM
please grant read and execute permission for all py files under /usr/hdp/current/ranger-admin folders (and sub-folders) and try again. Since the umask was set to 0027, it did not grant execute permission for OTHERS which is required for ambari user to execute these scripts.
... View more
01-05-2016
12:07 AM
1 Kudo
Ranger provides authorization and audit functionalities. You should use KERBEROS authentication to secure the Hadoop clusters along with Ranger. If you use SIMPLE authentication, the users can impersonate as other users by setting appropriate ENV variable before invoking hdfs commands.
... View more
12-22-2015
04:09 PM
what version of Ambari is being used? This looks like a bug. All passwords should be encrypted in the xml config file(s).
... View more
12-17-2015
08:45 PM
3 Kudos
You can use the following work-around: On the namenode box, login as root execute: # cp /etc/hadoop/conf/set-hdfs-plugin-env.sh /etc/hadoop/conf/set-hdfs-plugin-env-permfix.sh
# chown hdfs:hadoop /etc/hadoop/conf/set-hdfs-plugin-env-permfix.sh
Then edit,
/usr/hdp/current/hadoop-client/libexec/hadoop-config.sh file to modify the references to
set-hdfs-plugin-env.sh to "
set-hdfs-plugin-env-permfix.sh" This workaround should help you to start the namenode from Ambari without having to change permission manually every time.
... View more
12-17-2015
08:29 PM
1 Kudo
what is umask value for the root user ? This may have set the file to have no execute permission for the group.
... View more
11-20-2015
04:32 PM
11 Kudos
If you forget the admin password, you can reset it by executing db sql: update x_portal_user set password = 'ceb4f32325eda6142bd65215f4c0f371' where login_id = 'admin'; This will reset the password to 'admin'. Then, they should change the password via UI.
... View more
10-26-2015
04:17 PM
7 Kudos
Group permission on the ranger works fine. However, there is a misconception in the community about how the group association for the logged-in user is calculated. The group membership of the "logged in user" is calculated by Hive based on the core-site.xml configuration, hadoop.security.group.mapping. By default, it uses unix groups associated with the "logged in user". However, it can be set to look up LDAP based on the info specified in http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/ You can view the user's group by executing the following command on the hiveserver2 box: $ hdfs groups [username] This command should help you to find out the groups associated with the username. If you do not see the correct group association, you should fix the "hadoop.security.group.mapping" configuration in core-site.xml or the unix group membership on the hiveserver2 box to fix the issue.
... View more