You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Balaji Ganesan <ba...@gmail.com> on 2015/10/13 17:49:48 UTC

[Discuss] (RANGER-693) HDFS folder permission exclusively managed my Ranger

Good suggestion. HDFS fallback permission does create confusion for users,
it is better to restrict it to certain folders

There is a still an issue of figuring our existing permissions for a given
folder/file. We should include a separate JIRA to modify our reporting tool
to give accurate picture on existing permissions for HDFS files/folders. In
this case, Ranger should interpret both HDFS and Ranger permissions for
folder where fallback is allowed.

On Mon, Oct 12, 2015 at 3:14 PM, Don Bosco Durai (JIRA) <ji...@apache.org>
wrote:

> Don Bosco Durai created RANGER-693:
> --------------------------------------
>
>              Summary: HDFS folder permission exclusively managed my Ranger
>                  Key: RANGER-693
>                  URL: https://issues.apache.org/jira/browse/RANGER-693
>              Project: Ranger
>           Issue Type: Improvement
>     Affects Versions: 0.5.1
>             Reporter: Don Bosco Durai
>              Fix For: 0.6.0
>
>
> In HDFS plugin, if there are no policies for the file/folder, then Ranger
> falls backs to HDFS file/folder permission.
>
> While this is very convenient, but in some cases it is desirable that only
> Ranger manages the policies. Good examples are folders like
> /apps/hive/warehouse or some user folders where it is better that Ranger
> manages the entire permission.
>
> One suggestion is to mark folders which will be managed by Ranger. For
> these folders, ignore all permissions and ownership set at the HDFS
> file/folder level.
>
> This will be a very useful feature for Ranger.
>
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.3.4#6332)
>

Re: [Discuss] (RANGER-693) HDFS folder permission exclusively managed my Ranger

Posted by Balaji Ganesan <ba...@gmail.com>.

Reporting on Ranger admin primarily. Not everyone uses HDFS ACLs, we need
to think about POSIX permissions as well. We need a way to query HDFS and
get all permissions available for a particular file or directory and merge
them with Ranger policies to give an accurate picture of actuals permission
end user would get. This is for administrators to get a view of the any
HDFS folder/file and existing permissions.

On Wed, Oct 14, 2015 at 11:18 AM, Don Bosco Durai <bo...@apache.org> wrote:

> Agree we need a separate JIRA to track this.
>
> There are 2 use cases:
> 1. Reporting on Ranger Admin: We have to make calls to HDFS to get the
> HDFS ACLs and merge with ours.
> 2. Support -getfacl: When -getfacl API is called, within the HDFS process,
> Ranger plugin can merge both the permission set and respond.
>
> Both have different perspective. What were you thinking of?
>
> Bosco
>
>
>
> On 10/13/15, 8:49 AM, "Balaji Ganesan" <ba...@gmail.com> wrote:
>
> >Good suggestion. HDFS fallback permission does create confusion for users,
> >it is better to restrict it to certain folders
> >
> >There is a still an issue of figuring our existing permissions for a given
> >folder/file. We should include a separate JIRA to modify our reporting
> tool
> >to give accurate picture on existing permissions for HDFS files/folders.
> In
> >this case, Ranger should interpret both HDFS and Ranger permissions for
> >folder where fallback is allowed.
> >
> >On Mon, Oct 12, 2015 at 3:14 PM, Don Bosco Durai (JIRA) <ji...@apache.org>
> >wrote:
> >
> >> Don Bosco Durai created RANGER-693:
> >> --------------------------------------
> >>
> >>              Summary: HDFS folder permission exclusively managed my
> Ranger
> >>                  Key: RANGER-693
> >>                  URL: https://issues.apache.org/jira/browse/RANGER-693
> >>              Project: Ranger
> >>           Issue Type: Improvement
> >>     Affects Versions: 0.5.1
> >>             Reporter: Don Bosco Durai
> >>              Fix For: 0.6.0
> >>
> >>
> >> In HDFS plugin, if there are no policies for the file/folder, then
> Ranger
> >> falls backs to HDFS file/folder permission.
> >>
> >> While this is very convenient, but in some cases it is desirable that
> only
> >> Ranger manages the policies. Good examples are folders like
> >> /apps/hive/warehouse or some user folders where it is better that Ranger
> >> manages the entire permission.
> >>
> >> One suggestion is to mark folders which will be managed by Ranger. For
> >> these folders, ignore all permissions and ownership set at the HDFS
> >> file/folder level.
> >>
> >> This will be a very useful feature for Ranger.
> >>
> >>
> >>
> >>
> >> --
> >> This message was sent by Atlassian JIRA
> >> (v6.3.4#6332)
> >>
>
>

Re: [Discuss] (RANGER-693) HDFS folder permission exclusively managed my Ranger

Posted by Don Bosco Durai <bo...@apache.org>.

Agree we need a separate JIRA to track this.

There are 2 use cases:
1. Reporting on Ranger Admin: We have to make calls to HDFS to get the HDFS ACLs and merge with ours.
2. Support -getfacl: When -getfacl API is called, within the HDFS process, Ranger plugin can merge both the permission set and respond.

Both have different perspective. What were you thinking of?

Bosco



On 10/13/15, 8:49 AM, "Balaji Ganesan" <ba...@gmail.com> wrote:

>Good suggestion. HDFS fallback permission does create confusion for users,
>it is better to restrict it to certain folders
>
>There is a still an issue of figuring our existing permissions for a given
>folder/file. We should include a separate JIRA to modify our reporting tool
>to give accurate picture on existing permissions for HDFS files/folders. In
>this case, Ranger should interpret both HDFS and Ranger permissions for
>folder where fallback is allowed.
>
>On Mon, Oct 12, 2015 at 3:14 PM, Don Bosco Durai (JIRA) <ji...@apache.org>
>wrote:
>
>> Don Bosco Durai created RANGER-693:
>> --------------------------------------
>>
>>              Summary: HDFS folder permission exclusively managed my Ranger
>>                  Key: RANGER-693
>>                  URL: https://issues.apache.org/jira/browse/RANGER-693
>>              Project: Ranger
>>           Issue Type: Improvement
>>     Affects Versions: 0.5.1
>>             Reporter: Don Bosco Durai
>>              Fix For: 0.6.0
>>
>>
>> In HDFS plugin, if there are no policies for the file/folder, then Ranger
>> falls backs to HDFS file/folder permission.
>>
>> While this is very convenient, but in some cases it is desirable that only
>> Ranger manages the policies. Good examples are folders like
>> /apps/hive/warehouse or some user folders where it is better that Ranger
>> manages the entire permission.
>>
>> One suggestion is to mark folders which will be managed by Ranger. For
>> these folders, ignore all permissions and ownership set at the HDFS
>> file/folder level.
>>
>> This will be a very useful feature for Ranger.
>>
>>
>>
>>
>> --
>> This message was sent by Atlassian JIRA
>> (v6.3.4#6332)
>>