hdfs user can bypass policy in ranger

[Suraj Nayak <sn...@gmail.com>]

Hi Ranger Users,

Am new to Ranger. What I tried was, I created a HDFS policy for a file
created by user say *hdusr. *The policy states only hdusr can access.
Ranger behaves perfectly well by denying access to this hdfs file resource
for all users other than *hdusr* except *hdfs* user.

Does this mean that *hdfs *superuser can bypass the policy and open, rename
and delete a file which is protected by Ranger policy?

Thanks in advance :)

-- 
Thanks
Suraj Nayak M

Re: hdfs user can bypass policy in ranger

[Suraj Nayak <sn...@gmail.com>]

Hi Ranger Users,

Few more questions:

   - I enabled auditing for a HDFS resource */demo/card_data* and added
   policy that only a specific group can access this. As *hdfs* is
   superuser in hadoop world, hdfs can bypass the rules set by ranger. But
   when I checked the auditing section for this HDFS resource
   */demo/card_data*, *hdfs *users audit logs were not found. In fact, no
   audit logs are captured for any access done by *hdfs* user. What is the
   expected behaviour?
   - If there is a global policy which states */demo/* *recursively has
   *public* access, along with a policy which states that */demo/card_data*
   is accessible only to *hdusr*, then a global policy is applied and
   anyone can access */demo *resource recursively. What is the expected
   behaviour?
   - Can i somehow have negation condition which overriders all policies.
   Say */demo *had global access policy and other policy states except
   *hdfs* supergroup every user should be able to access the HDFS resource.

Thanks in advance!

On Thu, Jun 4, 2015 at 6:17 AM, Suraj Nayak <sn...@gmail.com> wrote:

> Thanks Loïc for the quick response! So, to protect PII information being
> accessed from admins encryption is the way ahead. Right?
>
> On Thu, Jun 4, 2015 at 5:55 AM, Chanel Loïc <lo...@worldline.com>
> wrote:
>
>>  Hi Suraj Nayak,
>>
>>
>>
>> As Hadoop authorizations run the same way than Unix ones, *hdfs* is the
>> equivalent of super user in Linux.
>>
>> So basically yes *hdfs* can bypass any rule/policy set by Ranger as it
>> has all the rights on the cluster.
>>
>>
>>
>> Regards,
>>
>>
>>
>>
>>
>> Loïc
>>
>>
>>
>>
>>
>> *De :* Suraj Nayak [mailto:snayakm@gmail.com]
>> *Envoyé :* jeudi 4 juin 2015 14:48
>> *À :* user@ranger.incubator.apache.org
>> *Objet :* hdfs user can bypass policy in ranger
>>
>>
>>
>> Hi Ranger Users,
>>
>>
>>
>> Am new to Ranger. What I tried was, I created a HDFS policy for a file
>> created by user say *hdusr. *The policy states only hdusr can access.
>> Ranger behaves perfectly well by denying access to this hdfs file resource
>> for all users other than *hdusr* except *hdfs* user.
>>
>>
>>
>> Does this mean that *hdfs *superuser can bypass the policy and open,
>> rename and delete a file which is protected by Ranger policy?
>>
>>
>>
>> Thanks in advance :)
>>
>>
>>
>> --
>>
>> Thanks
>>
>> Suraj Nayak M
>>
>> ------------------------------
>>
>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>> exclusif de ses destinataires. Il peut également être protégé par le secret
>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>> efforts soient faits pour maintenir cette transmission exempte de tout
>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
>> virus transmis.
>>
>> This e-mail and the documents attached are confidential and intended
>> solely for the addressee; it may also be privileged. If you receive this
>> e-mail in error, please notify the sender immediately and destroy it. As
>> its integrity cannot be secured on the Internet, the Worldline liability
>> cannot be triggered for the message content. Although the sender endeavours
>> to maintain a computer virus-free network, the sender does not warrant that
>> this transmission is virus-free and will not be liable for any damages
>> resulting from any virus transmitted.
>>
>
>
>
> --
> Thanks
> Suraj Nayak M
>



-- 
Thanks
Suraj Nayak M

Re: hdfs user can bypass policy in ranger

[Alok Lal <al...@hortonworks.com>]

Please ignore my last post.  It relates to HBASE but the question is for HDFS.  Sorry about the confusion.

From: Alok Lal <al...@hortonworks.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Thursday, June 4, 2015 at 11:56 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>, "loic.chanel@worldline.com<ma...@worldline.com>" <lo...@worldline.com>>
Subject: Re: hdfs user can bypass policy in ranger

This behavior is configurable.  There is a property in hbase-site.xml hbase.superuser which control this behavior.  Here is a snippet of that file.

  <property>
    <name>hbase.superuser</name>
    <value>hbase</value>
    <description>List of users or groups (comma-separated), who are allowed
    full privileges, regardless of stored ACLs, across the cluster.
    Only used when HBase security is enabled.
    </description>
  </property>


From: Suraj Nayak <sn...@gmail.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Thursday, June 4, 2015 at 6:17 AM
To: "loic.chanel@worldline.com<ma...@worldline.com>" <lo...@worldline.com>>
Cc: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Re: hdfs user can bypass policy in ranger

Thanks Loïc for the quick response! So, to protect PII information being accessed from admins encryption is the way ahead. Right?

On Thu, Jun 4, 2015 at 5:55 AM, Chanel Loïc <lo...@worldline.com>> wrote:
Hi Suraj Nayak,

As Hadoop authorizations run the same way than Unix ones, hdfs is the equivalent of super user in Linux.
So basically yes hdfs can bypass any rule/policy set by Ranger as it has all the rights on the cluster.

Regards,


Loïc


De : Suraj Nayak [mailto:snayakm@gmail.com<ma...@gmail.com>]
Envoyé : jeudi 4 juin 2015 14:48
À :user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>
Objet : hdfs user can bypass policy in ranger

Hi Ranger Users,

Am new to Ranger. What I tried was, I created a HDFS policy for a file created by user say hdusr. The policy states only hdusr can access. Ranger behaves perfectly well by denying access to this hdfs file resource for all users other than hdusr except hdfs user.

Does this mean that hdfs superuser can bypass the policy and open, rename and delete a file which is protected by Ranger policy?

Thanks in advance :)

--
Thanks
Suraj Nayak M

________________________________

Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.



--
Thanks
Suraj Nayak M

Re: hdfs user can bypass policy in ranger

[Alok Lal <al...@hortonworks.com>]

This behavior is configurable.  There is a property in hbase-site.xml hbase.superuser which control this behavior.  Here is a snippet of that file.

  <property>
    <name>hbase.superuser</name>
    <value>hbase</value>
    <description>List of users or groups (comma-separated), who are allowed
    full privileges, regardless of stored ACLs, across the cluster.
    Only used when HBase security is enabled.
    </description>
  </property>


From: Suraj Nayak <sn...@gmail.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Thursday, June 4, 2015 at 6:17 AM
To: "loic.chanel@worldline.com<ma...@worldline.com>" <lo...@worldline.com>>
Cc: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Re: hdfs user can bypass policy in ranger

Thanks Loïc for the quick response! So, to protect PII information being accessed from admins encryption is the way ahead. Right?

On Thu, Jun 4, 2015 at 5:55 AM, Chanel Loïc <lo...@worldline.com>> wrote:
Hi Suraj Nayak,

As Hadoop authorizations run the same way than Unix ones, hdfs is the equivalent of super user in Linux.
So basically yes hdfs can bypass any rule/policy set by Ranger as it has all the rights on the cluster.

Regards,


Loïc


De : Suraj Nayak [mailto:snayakm@gmail.com<ma...@gmail.com>]
Envoyé : jeudi 4 juin 2015 14:48
À :user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>
Objet : hdfs user can bypass policy in ranger

Hi Ranger Users,

Am new to Ranger. What I tried was, I created a HDFS policy for a file created by user say hdusr. The policy states only hdusr can access. Ranger behaves perfectly well by denying access to this hdfs file resource for all users other than hdusr except hdfs user.

Does this mean that hdfs superuser can bypass the policy and open, rename and delete a file which is protected by Ranger policy?

Thanks in advance :)

--
Thanks
Suraj Nayak M

________________________________

Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.



--
Thanks
Suraj Nayak M

Re: hdfs user can bypass policy in ranger

[Alok Lal <al...@hortonworks.com>]

>> Hadoop does not invoke Ranger authorizer for "hdfs" superuser.


I couldn¹t find an open issue
<https://issues.apache.org/jira/issues/?jql=project%20%3D%20HADOOP%20AND%20
text%20~%20%22call%20authorizer%20for%20superuser%22> on Hadoop project
for this item.  Or has this been remedied in the new authorization API
that Hadoop has been working towards?



From:  Balaji Ganesan <ba...@gmail.com>
Reply-To:  "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date:  Sunday, June 7, 2015 at 5:16 PM
To:  Suraj Nayak <sn...@gmail.com>
Cc:  "loic.chanel@worldline.com" <lo...@worldline.com>,
"user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject:  Re: hdfs user can bypass policy in ranger


Hadoop does not invoke Ranger authorizer for "hdfs" superuser. A
recommended method would be to setup separate administrator, different
from "hdfs" user. We have these administrators showing up in the audit logs

<<<Even the audits are not captured via Ranger for hdfs users. By
encrypting the data we can solve the issue of data
 access by admins partially, as hdfs user can apply brute force method to
crack the encryption system and this activity is never logged in Ranger.


I am not sure what brute force method you are referring here. In HDFS
encryption that has been introduced, "hdfs" user can be blocked and it
would be very hard for "hdfs" user to get a key to decrypt data.


On Sun, Jun 7, 2015 at 1:49 PM, Suraj Nayak
<sn...@gmail.com> wrote:

Thanks Balaji for your reply.

Is there a reason why Ranger does not call authorizer for superuser
operations? 

Even the audits are not captured via Ranger for hdfs users. By encrypting
the data we can solve the issue of data access by admins partially, as
hdfs user can apply brute force method to crack the encryption system and
this activity is never logged
 in Ranger.

Can we enable auditing for superusers?

Thanks in advance! 



On Thu, Jun 4, 2015 at 12:28 PM, Balaji Ganesan
<ba...@gmail.com> wrote:

Yes, best way to protect sensitive data from admins would be to use
encryption. For access control, HDFS does not call Ranger authorizer for
superuser operations. Consequently, there is no access control enforced by
Ranger nor there is Ranger
 audit. 

On Thu, Jun 4, 2015 at 6:17 AM, Suraj Nayak
<sn...@gmail.com> wrote:

Thanks Loïc for the quick response! So, to protect PII information being
accessed from admins encryption is the way ahead. Right?

On Thu, Jun 4, 2015 at 5:55 AM, Chanel Loïc
<lo...@worldline.com> wrote:

Hi Suraj Nayak,
 
As Hadoop authorizations run the same way than Unix ones,
hdfs is the equivalent of super user in Linux.
So basically yes
hdfs can bypass any rule/policy set by Ranger as it has all the rights on
the cluster.
 
Regards,
 
 
Loïc
 
 
De : Suraj Nayak [mailto:snayakm@gmail.com]

Envoyé : jeudi 4 juin 2015 14:48
À :user@ranger.incubator.apache.org
Objet : hdfs user can bypass policy in ranger
 
Hi Ranger Users,
 

Am new to Ranger. What I tried was, I created a HDFS policy for a file
created by user say
hdusr. The policy states only hdusr can access. Ranger behaves perfectly
well by denying access to this hdfs file resource for all users other than
hdusr except hdfs user.

 

Does this mean that hdfs superuser can bypass the policy and open, rename
and delete a file which is protected by Ranger policy?

 

Thanks in advance :)

 

-- 
Thanks

Suraj Nayak M









________________________________________

Ce message et les pièces jointes sont confidentiels et réservés à l'usage
exclusif de ses destinataires. Il peut également être protégé par le
secret professionnel. Si vous recevez ce message par erreur, merci d'en
avertir immédiatement l'expéditeur et de le
 détruire. L'intégrité du message ne pouvant être assurée sur Internet, la
responsabilité de Worldline ne pourra être recherchée quant au contenu de
ce message. Bien que les meilleurs efforts soient faits pour maintenir
cette transmission exempte de tout virus,
 l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne
saurait être recherchée pour tout dommage résultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended
solely for the addressee; it may also be privileged. If you receive this
e-mail in error, please notify the sender immediately and destroy it. As
its integrity cannot be secured on the Internet,
 the Worldline liability cannot be triggered for the message content.
Although the sender endeavours to maintain a computer virus-free network,
the sender does not warrant that this transmission is virus-free and will
not be liable for any damages resulting
 from any virus transmitted.







-- 
Thanks
Suraj Nayak M


















-- 
Thanks
Suraj Nayak M

Re: hdfs user can bypass policy in ranger

[Balaji Ganesan <ba...@gmail.com>]

Hadoop does not invoke Ranger authorizer for "hdfs" superuser. A
recommended method would be to setup separate administrator, different from
"hdfs" user. We have these administrators showing up in the audit logs

<<<Even the audits are not captured via Ranger for *hdfs *users. By
encrypting the data we can solve the issue of data access by admins
partially, as hdfs user can apply brute force method to crack the
encryption system and this activity is never logged in Ranger.

I am not sure what brute force method you are referring here. In HDFS
encryption that has been introduced, "hdfs" user can be blocked and it
would be very hard for "hdfs" user to get a key to decrypt data.

On Sun, Jun 7, 2015 at 1:49 PM, Suraj Nayak <sn...@gmail.com> wrote:

> Thanks Balaji for your reply.
>
> Is there a reason why Ranger does not call authorizer for superuser
> operations?
>
> Even the audits are not captured via Ranger for *hdfs *users. By
> encrypting the data we can solve the issue of data access by admins
> partially, as hdfs user can apply brute force method to crack the
> encryption system and this activity is never logged in Ranger.
>
> Can we enable auditing for superusers?
>
> Thanks in advance!
>
>
> On Thu, Jun 4, 2015 at 12:28 PM, Balaji Ganesan <
> balaji.ganesan03@gmail.com> wrote:
>
>> Yes, best way to protect sensitive data from admins would be to use
>> encryption. For access control, HDFS does not call Ranger authorizer for
>> superuser operations. Consequently, there is no access control enforced by
>> Ranger nor there is Ranger audit.
>>
>> On Thu, Jun 4, 2015 at 6:17 AM, Suraj Nayak <sn...@gmail.com> wrote:
>>
>>> Thanks Loïc for the quick response! So, to protect PII information being
>>> accessed from admins encryption is the way ahead. Right?
>>>
>>> On Thu, Jun 4, 2015 at 5:55 AM, Chanel Loïc <lo...@worldline.com>
>>> wrote:
>>>
>>>>  Hi Suraj Nayak,
>>>>
>>>>
>>>>
>>>> As Hadoop authorizations run the same way than Unix ones, *hdfs* is
>>>> the equivalent of super user in Linux.
>>>>
>>>> So basically yes *hdfs* can bypass any rule/policy set by Ranger as it
>>>> has all the rights on the cluster.
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Loïc
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *De :* Suraj Nayak [mailto:snayakm@gmail.com]
>>>> *Envoyé :* jeudi 4 juin 2015 14:48
>>>> *À :* user@ranger.incubator.apache.org
>>>> *Objet :* hdfs user can bypass policy in ranger
>>>>
>>>>
>>>>
>>>> Hi Ranger Users,
>>>>
>>>>
>>>>
>>>> Am new to Ranger. What I tried was, I created a HDFS policy for a file
>>>> created by user say *hdusr. *The policy states only hdusr can access.
>>>> Ranger behaves perfectly well by denying access to this hdfs file resource
>>>> for all users other than *hdusr* except *hdfs* user.
>>>>
>>>>
>>>>
>>>> Does this mean that *hdfs *superuser can bypass the policy and open,
>>>> rename and delete a file which is protected by Ranger policy?
>>>>
>>>>
>>>>
>>>> Thanks in advance :)
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Thanks
>>>>
>>>> Suraj Nayak M
>>>>
>>>> ------------------------------
>>>>
>>>> Ce message et les pièces jointes sont confidentiels et réservés à
>>>> l'usage exclusif de ses destinataires. Il peut également être protégé par
>>>> le secret professionnel. Si vous recevez ce message par erreur, merci d'en
>>>> avertir immédiatement l'expéditeur et de le détruire. L'intégrité du
>>>> message ne pouvant être assurée sur Internet, la responsabilité de
>>>> Worldline ne pourra être recherchée quant au contenu de ce message. Bien
>>>> que les meilleurs efforts soient faits pour maintenir cette transmission
>>>> exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et
>>>> sa responsabilité ne saurait être recherchée pour tout dommage résultant
>>>> d'un virus transmis.
>>>>
>>>> This e-mail and the documents attached are confidential and intended
>>>> solely for the addressee; it may also be privileged. If you receive this
>>>> e-mail in error, please notify the sender immediately and destroy it. As
>>>> its integrity cannot be secured on the Internet, the Worldline liability
>>>> cannot be triggered for the message content. Although the sender endeavours
>>>> to maintain a computer virus-free network, the sender does not warrant that
>>>> this transmission is virus-free and will not be liable for any damages
>>>> resulting from any virus transmitted.
>>>>
>>>
>>>
>>>
>>> --
>>> Thanks
>>> Suraj Nayak M
>>>
>>
>>
>
>
> --
> Thanks
> Suraj Nayak M
>

Re: hdfs user can bypass policy in ranger

[Suraj Nayak <sn...@gmail.com>]

Thanks Balaji for your reply.

Is there a reason why Ranger does not call authorizer for superuser
operations?

Even the audits are not captured via Ranger for *hdfs *users. By encrypting
the data we can solve the issue of data access by admins partially, as hdfs
user can apply brute force method to crack the encryption system and this
activity is never logged in Ranger.

Can we enable auditing for superusers?

Thanks in advance!


On Thu, Jun 4, 2015 at 12:28 PM, Balaji Ganesan <ba...@gmail.com>
wrote:

> Yes, best way to protect sensitive data from admins would be to use
> encryption. For access control, HDFS does not call Ranger authorizer for
> superuser operations. Consequently, there is no access control enforced by
> Ranger nor there is Ranger audit.
>
> On Thu, Jun 4, 2015 at 6:17 AM, Suraj Nayak <sn...@gmail.com> wrote:
>
>> Thanks Loïc for the quick response! So, to protect PII information being
>> accessed from admins encryption is the way ahead. Right?
>>
>> On Thu, Jun 4, 2015 at 5:55 AM, Chanel Loïc <lo...@worldline.com>
>> wrote:
>>
>>>  Hi Suraj Nayak,
>>>
>>>
>>>
>>> As Hadoop authorizations run the same way than Unix ones, *hdfs* is the
>>> equivalent of super user in Linux.
>>>
>>> So basically yes *hdfs* can bypass any rule/policy set by Ranger as it
>>> has all the rights on the cluster.
>>>
>>>
>>>
>>> Regards,
>>>
>>>
>>>
>>>
>>>
>>> Loïc
>>>
>>>
>>>
>>>
>>>
>>> *De :* Suraj Nayak [mailto:snayakm@gmail.com]
>>> *Envoyé :* jeudi 4 juin 2015 14:48
>>> *À :* user@ranger.incubator.apache.org
>>> *Objet :* hdfs user can bypass policy in ranger
>>>
>>>
>>>
>>> Hi Ranger Users,
>>>
>>>
>>>
>>> Am new to Ranger. What I tried was, I created a HDFS policy for a file
>>> created by user say *hdusr. *The policy states only hdusr can access.
>>> Ranger behaves perfectly well by denying access to this hdfs file resource
>>> for all users other than *hdusr* except *hdfs* user.
>>>
>>>
>>>
>>> Does this mean that *hdfs *superuser can bypass the policy and open,
>>> rename and delete a file which is protected by Ranger policy?
>>>
>>>
>>>
>>> Thanks in advance :)
>>>
>>>
>>>
>>> --
>>>
>>> Thanks
>>>
>>> Suraj Nayak M
>>>
>>> ------------------------------
>>>
>>> Ce message et les pièces jointes sont confidentiels et réservés à
>>> l'usage exclusif de ses destinataires. Il peut également être protégé par
>>> le secret professionnel. Si vous recevez ce message par erreur, merci d'en
>>> avertir immédiatement l'expéditeur et de le détruire. L'intégrité du
>>> message ne pouvant être assurée sur Internet, la responsabilité de
>>> Worldline ne pourra être recherchée quant au contenu de ce message. Bien
>>> que les meilleurs efforts soient faits pour maintenir cette transmission
>>> exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et
>>> sa responsabilité ne saurait être recherchée pour tout dommage résultant
>>> d'un virus transmis.
>>>
>>> This e-mail and the documents attached are confidential and intended
>>> solely for the addressee; it may also be privileged. If you receive this
>>> e-mail in error, please notify the sender immediately and destroy it. As
>>> its integrity cannot be secured on the Internet, the Worldline liability
>>> cannot be triggered for the message content. Although the sender endeavours
>>> to maintain a computer virus-free network, the sender does not warrant that
>>> this transmission is virus-free and will not be liable for any damages
>>> resulting from any virus transmitted.
>>>
>>
>>
>>
>> --
>> Thanks
>> Suraj Nayak M
>>
>
>


-- 
Thanks
Suraj Nayak M

Re: hdfs user can bypass policy in ranger

[Balaji Ganesan <ba...@gmail.com>]

Yes, best way to protect sensitive data from admins would be to use
encryption. For access control, HDFS does not call Ranger authorizer for
superuser operations. Consequently, there is no access control enforced by
Ranger nor there is Ranger audit.

On Thu, Jun 4, 2015 at 6:17 AM, Suraj Nayak <sn...@gmail.com> wrote:

> Thanks Loïc for the quick response! So, to protect PII information being
> accessed from admins encryption is the way ahead. Right?
>
> On Thu, Jun 4, 2015 at 5:55 AM, Chanel Loïc <lo...@worldline.com>
> wrote:
>
>>  Hi Suraj Nayak,
>>
>>
>>
>> As Hadoop authorizations run the same way than Unix ones, *hdfs* is the
>> equivalent of super user in Linux.
>>
>> So basically yes *hdfs* can bypass any rule/policy set by Ranger as it
>> has all the rights on the cluster.
>>
>>
>>
>> Regards,
>>
>>
>>
>>
>>
>> Loïc
>>
>>
>>
>>
>>
>> *De :* Suraj Nayak [mailto:snayakm@gmail.com]
>> *Envoyé :* jeudi 4 juin 2015 14:48
>> *À :* user@ranger.incubator.apache.org
>> *Objet :* hdfs user can bypass policy in ranger
>>
>>
>>
>> Hi Ranger Users,
>>
>>
>>
>> Am new to Ranger. What I tried was, I created a HDFS policy for a file
>> created by user say *hdusr. *The policy states only hdusr can access.
>> Ranger behaves perfectly well by denying access to this hdfs file resource
>> for all users other than *hdusr* except *hdfs* user.
>>
>>
>>
>> Does this mean that *hdfs *superuser can bypass the policy and open,
>> rename and delete a file which is protected by Ranger policy?
>>
>>
>>
>> Thanks in advance :)
>>
>>
>>
>> --
>>
>> Thanks
>>
>> Suraj Nayak M
>>
>> ------------------------------
>>
>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>> exclusif de ses destinataires. Il peut également être protégé par le secret
>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>> efforts soient faits pour maintenir cette transmission exempte de tout
>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
>> virus transmis.
>>
>> This e-mail and the documents attached are confidential and intended
>> solely for the addressee; it may also be privileged. If you receive this
>> e-mail in error, please notify the sender immediately and destroy it. As
>> its integrity cannot be secured on the Internet, the Worldline liability
>> cannot be triggered for the message content. Although the sender endeavours
>> to maintain a computer virus-free network, the sender does not warrant that
>> this transmission is virus-free and will not be liable for any damages
>> resulting from any virus transmitted.
>>
>
>
>
> --
> Thanks
> Suraj Nayak M
>

Re: hdfs user can bypass policy in ranger

[Suraj Nayak <sn...@gmail.com>]

Thanks Loïc for the quick response! So, to protect PII information being
accessed from admins encryption is the way ahead. Right?

On Thu, Jun 4, 2015 at 5:55 AM, Chanel Loïc <lo...@worldline.com>
wrote:

>  Hi Suraj Nayak,
>
>
>
> As Hadoop authorizations run the same way than Unix ones, *hdfs* is the
> equivalent of super user in Linux.
>
> So basically yes *hdfs* can bypass any rule/policy set by Ranger as it
> has all the rights on the cluster.
>
>
>
> Regards,
>
>
>
>
>
> Loïc
>
>
>
>
>
> *De :* Suraj Nayak [mailto:snayakm@gmail.com]
> *Envoyé :* jeudi 4 juin 2015 14:48
> *À :* user@ranger.incubator.apache.org
> *Objet :* hdfs user can bypass policy in ranger
>
>
>
> Hi Ranger Users,
>
>
>
> Am new to Ranger. What I tried was, I created a HDFS policy for a file
> created by user say *hdusr. *The policy states only hdusr can access.
> Ranger behaves perfectly well by denying access to this hdfs file resource
> for all users other than *hdusr* except *hdfs* user.
>
>
>
> Does this mean that *hdfs *superuser can bypass the policy and open,
> rename and delete a file which is protected by Ranger policy?
>
>
>
> Thanks in advance :)
>
>
>
> --
>
> Thanks
>
> Suraj Nayak M
>
> ------------------------------
>
> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
> exclusif de ses destinataires. Il peut également être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
> être recherchée quant au contenu de ce message. Bien que les meilleurs
> efforts soient faits pour maintenir cette transmission exempte de tout
> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
> virus transmis.
>
> This e-mail and the documents attached are confidential and intended
> solely for the addressee; it may also be privileged. If you receive this
> e-mail in error, please notify the sender immediately and destroy it. As
> its integrity cannot be secured on the Internet, the Worldline liability
> cannot be triggered for the message content. Although the sender endeavours
> to maintain a computer virus-free network, the sender does not warrant that
> this transmission is virus-free and will not be liable for any damages
> resulting from any virus transmitted.
>



-- 
Thanks
Suraj Nayak M

RE: hdfs user can bypass policy in ranger

[Chanel Loïc <lo...@worldline.com>]

Hi Suraj Nayak,

As Hadoop authorizations run the same way than Unix ones, hdfs is the equivalent of super user in Linux.
So basically yes hdfs can bypass any rule/policy set by Ranger as it has all the rights on the cluster.

Regards,


Loïc


De : Suraj Nayak [mailto:snayakm@gmail.com]
Envoyé : jeudi 4 juin 2015 14:48
À : user@ranger.incubator.apache.org
Objet : hdfs user can bypass policy in ranger

Hi Ranger Users,

Am new to Ranger. What I tried was, I created a HDFS policy for a file created by user say hdusr. The policy states only hdusr can access. Ranger behaves perfectly well by denying access to this hdfs file resource for all users other than hdusr except hdfs user.

Does this mean that hdfs superuser can bypass the policy and open, rename and delete a file which is protected by Ranger policy?

Thanks in advance :)

--
Thanks
Suraj Nayak M

________________________________

Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.