About sneethiraj

sneethiraj · ‎03-10-2017

Q. What is Delegated Admin Privilege? Instead of having a single central authority creating security policies for the entire Hadoop resources, Apache Ranger provides a feature, “Delegated-Admin” to delegate the security policy management to other resource administrators. For example, the permissions associated with hdfs:/app/finance folder and all its contents can be entirely managed finance-admin group by granting “delegated-admin” permission to finance-admin group on “hdfs:/app/finance with recursive=true” In simple-terms, Delegated-Admin permission allows other resource administrators to manage permissions for their managed-resources. Q. What are the roles assigned to a user within ranger-ui? In Apache Ranger, an user can be set with one of the following role: ADMIN, USER, KEYADMIN. When a user is assigned with KEYADMIN role, he/she will have the ability to manage all ranger-kms policies and kms-audit information within the ranger-admin UI. Also, he/she can provide “delegate-admin” privileges for managing a set of keys to other users/groups by creating a ranger-kms policy. When a user is granted with “delegated-admin” privileges for a set of keys, the user can manage permissions associated with any keys that belong to the key set for which he/she has “delegated-admin” privilege. When an user is assigned with ADMIN role, he/she will have the ability to manage all non-kms ranger policies and non-kms audit information within the ranger-admin UI. Also, he/she can provide “delegate-admin” privileges for managing a set of resources to other users/groups by creating a ranger policy. When a user is granted with “delegated-admin” privileges for a set of resources, the user can manage permissions associated with any resource that belongs to the resource set for which he/she has “delegated-admin” privilege. When an user is assigned with USER role, he/she will have the ability to manage only resources/key for which he/she has been granted with “delegated-admin” privilege. Q. What is the difference between ROLE vs “Delegated-Admin privilege”? ROLE is assigned for a specific user by the Administrator. Delegated-Admin Privilege is assigned on a specific set of resources for a specific set of users/groups by a person who already has Delegated-Admin privilege on the specific set of resources.

sneethiraj · ‎12-06-2016

These ranger-admin sessions are created by "download policy actions" performed by RangerPlugins in NameNode, HiveServer process. They are authenticating to ranger-admin process using their service kerberos credentials (hdfs, hive).

sneethiraj · ‎01-22-2016

@Hammad Ali : Is this a secured cluster ? Storm authorization will work with secured cluster only.

sneethiraj · ‎01-05-2016

please grant read and execute permission for all py files under /usr/hdp/current/ranger-admin folders (and sub-folders) and try again. Since the umask was set to 0027, it did not grant execute permission for OTHERS which is required for ambari user to execute these scripts.

sneethiraj · ‎01-05-2016

Ranger provides authorization and audit functionalities. You should use KERBEROS authentication to secure the Hadoop clusters along with Ranger. If you use SIMPLE authentication, the users can impersonate as other users by setting appropriate ENV variable before invoking hdfs commands.

sneethiraj · ‎12-22-2015

what version of Ambari is being used? This looks like a bug. All passwords should be encrypted in the xml config file(s).

sneethiraj · ‎12-17-2015

You can use the following work-around: On the namenode box, login as root execute: # cp /etc/hadoop/conf/set-hdfs-plugin-env.sh /etc/hadoop/conf/set-hdfs-plugin-env-permfix.sh # chown hdfs:hadoop /etc/hadoop/conf/set-hdfs-plugin-env-permfix.sh Then edit, /usr/hdp/current/hadoop-client/libexec/hadoop-config.sh file to modify the references to set-hdfs-plugin-env.sh to " set-hdfs-plugin-env-permfix.sh" This workaround should help you to start the namenode from Ambari without having to change permission manually every time.

sneethiraj · ‎12-17-2015

what is umask value for the root user ? This may have set the file to have no execute permission for the group.

sneethiraj · ‎11-20-2015

If you forget the admin password, you can reset it by executing db sql: update x_portal_user set password = 'ceb4f32325eda6142bd65215f4c0f371' where login_id = 'admin'; This will reset the password to 'admin'. Then, they should change the password via UI.

sneethiraj · ‎10-26-2015

Group permission on the ranger works fine. However, there is a misconception in the community about how the group association for the logged-in user is calculated. The group membership of the "logged in user" is calculated by Hive based on the core-site.xml configuration, hadoop.security.group.mapping. By default, it uses unix groups associated with the "logged in user". However, it can be set to look up LDAP based on the info specified in http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/ You can view the user's group by executing the following command on the hiveserver2 box: $ hdfs groups [username] This command should help you to find out the groups associated with the username. If you do not see the correct group association, you should fix the "hadoop.security.group.mapping" configuration in core-site.xml or the unix group membership on the hiveserver2 box to fix the issue.

Online	Offline
Last Visited	‎03-28-2018 02:16 PM

Member Since	‎09-28-2015 09:44 PM
Last Visited	‎03-28-2018 02:16 PM
Posts	14
Kudos received	26

Cloudera Community

Re: How can I fix incorrect file permissions for s...

Re: is there any way to reset ranger admin UI pass...

Re: Ranger group policy not being applied to the u...

Re: Installed Ranger in a cluster and running into...

Re: How to promote a principal in IPA to a user fo...

Apache Ranger - Delegated Admin

Re: ranger logfile getting filled

Re: Storm Plugin Authorization with Ranger

Re: Ranger Admin is failing to Install

Re: Does Ranger authenticate HDFS users

Re: Can the Ranger LDAP bind password be encrypted...

Re: How can I fix incorrect file permissions for s...

Re: How can I fix incorrect file permissions for s...

Re: is there any way to reset ranger admin UI pass...

Re: Ranger group policy not being applied to the u...