Member since
07-06-2020
8
Posts
0
Kudos Received
0
Solutions
10-08-2020
04:43 AM
The same problem occurs with other directories with other permissions: org.apache.hadoop.security.AccessControlException: Permission denied: user=XXXXX, access=READ, inode="/user/.snapshot/user_201806150000":w93651:hdfs:drwx------ org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): Permission denied: user=XXXXX, access=READ, inode="/user/.snapshot/user_201806150000":w93651:hdfs:drwx------ Again Ranger audit log says that no Policy is applied, instead it uses hdfs acl.
... View more
10-08-2020
04:40 AM
Thank you for your answers, but we have been doing som digging and it looks like the operation with distcp bypass the Ranger policy and use HDFS ACL instead. We have a Ranger allow policy that says that the user XXXXX can read and execute in /* . But in the audit log we get an EXECUTE access denied to: /databank Access enforcer:hadoop-acl and a READ access denied to: /databank/.snapshot/databank_201... Access enforcer: hadoop-acl Moreover, we have a directory where the backup succeed because it has POSIX permissions read and execute for others and other with rwx permissions for the owner only that fail equally. But should it not Ranger Policy apply and override the HDFS POSIX permissions? It looks like that what happens is the opposite, HDFS permissions override Ranger policy. Brgds, Paz
... View more
10-06-2020
06:43 AM
Hej,
We have a script for data backup to a remote Hadoop cluster using distcp. Both clusters are secured with Kerberos, and both clusters are version 2.6.4. The backup fails with error:
org.apache.hadoop.security.AccessControlException: Permission denied: user=XXXXXX, access=EXECUTE, inode="/databank/.snapshot/databank_201904250000":hdfs:hdfs:d---------
There is a policy in Ranger that gives read and execute permissions in the HDFS for user XXXXX. I can list the contents of the HDFS using:
hdfs dfs -ls
after doing kinit to the user XXXXX.
I am completely at loss why the user XXXXX get an execute access denied.
Please advice,
... View more
Labels:
- Labels:
-
Apache Ranger
-
HDFS
-
Kerberos