You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Madhan Neethiraj (JIRA)" <ji...@apache.org> on 2016/03/14 22:33:33 UTC

[jira] [Commented] (RANGER-357) Update Ranger HDFS plugin to use HDFS Authorization API

    [ https://issues.apache.org/jira/browse/RANGER-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15194186#comment-15194186 ] 

Madhan Neethiraj commented on RANGER-357:
-----------------------------------------

Ranger HDFS plugin update to use the HDFS authorization API results in few changes in Ranger authorization of access to HDFS files/directories. These changes are detailed below.

Before looking at the change details, lets take a look at few details of HDFS native authorization. For an user to access a HDFS file/directory, HDFS native authorization requires the user to have EXECUTE access on all ancestor directories and appropriate accesses on the target file/directory and its parent directory, as shown in the following examples:

{noformat}
 --------------------------------------------
| Command       | Target | Parent | Ancestors |
|---------------------------------------------|
| mkdir         |   -    |   WX   |     X     |     
|---------------------------------------------|
| rmdir         |   RX   |   WX   |     X     |     
|---------------------------------------------|
| copyFromLocal |   -    |   WX   |     X     |     
|---------------------------------------------|
| rm            |   -    |   WX   |     X     |     
|---------------------------------------------|
| cat           |   R    |    X   |     X     |     
|---------------------------------------------|
| appendToFile  |   W    |    X   |     X     |     
|---------------------------------------------|
| ls            |   RX    |   X   |     X     |     
 --------------------------------------------
{noformat}

Now to the details of the changes in Ranger authorization since integration with HDFS pluggable authorization API:
 - Ranger authorization does not require the user to have EXECUTE access on all ancestor directories. It only requires the user to have appropriate access on the target file/directory and its parent directory. This should make it simper for administrators to set up Ranger authorization policies i.e. no need to ensure EXECUTE access to all ancestor directories.
 - Earlier, authorization at each level i.e. target/parent/ancestors can be granted either by Ranger policies or by HDFS native ACLs. Now, all necessary authorizations must be either granted by Ranger policies or by HDFS native ACLs. This does not allow an authorization to be partly granted by Ranger policies and partly by native ACLs. 



> Update Ranger HDFS plugin to use HDFS Authorization API
> -------------------------------------------------------
>
>                 Key: RANGER-357
>                 URL: https://issues.apache.org/jira/browse/RANGER-357
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.5.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.5.0
>
>
> With HDFS-6826, HDFS supports a plugin interface to enable delegation of HDFS authorization. Ranger HDFS plugin should be updated to use the plugin interface.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)