Member since
03-30-2018
4
Posts
0
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
605 | 04-10-2018 08:17 PM |
04-10-2018
08:26 PM
Yes, Ranger policies trump HDFS ACL. 2. If you allow access to /data/dir1/dir2, then the user will have access to /data/dir1/dir2 (HDFS ACL is not checked because Ranger permissions prevail) 3. Deny your user access to /data/dir1/dir2 in Ranger. Or, don't have a policy for this directory (this way HDFS ACL is invoked).
... View more
04-10-2018
08:17 PM
No answers, so I had do do more digging.
It turns out one can only have
ONE HDFS (or Hive for that matter) resource based service active at one time, and the value is set in /etc/hadoop/conf/ranger-hdfs-security.xml , key ranger.plugin.hdfs.service.name Moreover, when set through Ambari, the service name is always <cluster_name>_hadoop (some say it's _hdfs, but I definitely see it as _hadoop in HDP 2.6.3 So, play as much as you want in the Ranger UI, create services, change names, that is just a a fake UI. The real work is done in the /etc/hadoop/conf/ranger-hdfs-security.xml Thanks guys for making it so straightforward.
... View more
04-10-2018
01:40 AM
One can create multiple resource based services in Ranger Service Manager, but it seems only one is active at any moment in time. True ? What determines this ? E.g. I created 2 identical HDFS services: "hdfs_service1", and "hdfs_service2", both enabled. Then I create a number of policies in each. Are both services active at the same time ? What determines which is active, and the policies that will be enforced ? Furthermore, I can create 2 identical Tag based service: "tag1", and "tag2". Now I set the tag service of "hdfs_service1" to "tag1", and "hdfs_service2" to "tag2". Again, which one will be active ?
... View more
Labels:
- Labels:
-
Apache Ranger
03-30-2018
04:40 AM
I have two sets of tags: one for location (US or international) , one for privacy (PII or not). How can I enforce both sets for tag based policies in Ranger ? Say I create a policy to allow access to "US" tag for user 1, and to "International" for user 2. I have data tagged as "PII" under both "US" and "International". Now, If I give user 1 access to "PII" tagged data, it will also get access to "International" data tagged as "PII", which I don't want. How can I enforce in Ranger that both the location policy and privacy policy have to be true in order to allow access. As I see it, Ranger will allow access as soon as one of the policies allow. I know I can combine the tag sets (e.g. "US PII", "US", "International PII", "International"). But this is not scalable. If the number of locations grows, and other sets of tags are added (regulatory, classifications, etc), it will be impossible to maintain the combinations. I need a logical AND in policy evaluation (e.g. if location tag matches AND privacy matches then allow), whereas currently it looks like the Ranger evaluation flow does an OR (e.g. if any location tag matches or privacy tag matches then allow). Any ideas ?
... View more
Labels:
- Labels:
-
Apache Ranger