You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Don Bosco Durai (JIRA)" <ji...@apache.org> on 2015/09/29 22:51:04 UTC

[jira] [Commented] (RANGER-668) Improve Ranger to use native ACLs instead of agent policies

    [ https://issues.apache.org/jira/browse/RANGER-668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14935839#comment-14935839 ] 

Don Bosco Durai commented on RANGER-668:
----------------------------------------

[~harisekhon], we looked into it and in Ranger 0.4 we implemented the support for grant in CLI. Now when you call grant in Hive or HBase CLI, the policies are pushed to Ranger (not the other way you wanted). The reason being Ranger supports wild cards and column level permissions, which Hive doesn't support. Also pushing to Ranger helped us ensuring all the admin commands are audited and the policies are managed centrally.

For HDFS, we hit multiple challenges. Since HDFS does permissions on each file level, the number of ACLs are too much to be stored in Ranger. And HDFS model doesn't support wild cards or recursive, so we couldn't push Ranger policies to HDFS. 

We were considered of adding a feature where you can mark certain folders to be exclusive managed by Ranger. E.g. /apps/hive/warehouse. In this way, any HDFS ACL will be ignored. This will have clear separation of ACL owners. Do you think, a feature like this will be able to address your main concern.

Few other important things to note are:
1. Ranger now support a bunch of other components (Solr, Kafka, YARN, KMS, etc.) and these components don't have to local ACL store
2. In Ranger 0.5, we introduced a feature called "Dynamic Policies". This enables anyone to write their own policy condition or call external policy engine/API. These type of policies can't be pushed to HDFS or other native components.
3. In Ranger 0.6 we are introducing tag based policy. This abstracts the policies at an higher level. So if you tag a folder/file/table/column, etc as "PII", then the global PII policy will be in effect. This changes the way you will even define policies going forward.

Give your thoughts. It will be very useful.

Thanks



> Improve Ranger to use native ACLs instead of agent policies
> -----------------------------------------------------------
>
>                 Key: RANGER-668
>                 URL: https://issues.apache.org/jira/browse/RANGER-668
>             Project: Ranger
>          Issue Type: Improvement
>    Affects Versions: 0.5.0
>         Environment: HDP 2.3 + Kerberos
>            Reporter: Hari Sekhon
>
> I raised a request around a year ago for Hortonworks to do native ACL push-down, it looks like Ranger is still doing agent policies, which creates a dependency on the ranger agent (I know it's not a separate process to fail) rather than just keeping the ACL in say HDFS or Hive.
> I appreciate this is a big change but is this something that can be realistically implemented in the mid-term?
> This would also allow better ACL auditing since Ranger would be reading the online ACLs (eg. the NameNode) would truly give a unified view of the applied ACLs to a given data source.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)