You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Don Bosco Durai <bo...@apache.org> on 2015/05/01 06:44:21 UTC
Re: Troubles with HDFS policies
Hi Loïc
Thanks for the feedback.
I think, you are referring to the Hortonworks documentation.
We have a place holder in Apache Ranger Wiki site for user guide. We can
start working on it. If you can give your confluence id, we can give you
edit permission.
Thanks
Bosco
From: Chanel Loïc <lo...@worldline.com>
Reply-To: "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date: Thursday, April 30, 2015 at 1:32 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: RE: Troubles with HDFS policies
> Hi,
>
> Indeed, the page 10 of the Ranger User Guide specifies :
>
> ²Through configuration, Apache Ranger enables both Ranger policies and HDFS
> permissions to be checked for a user request. When the NameNode receives a
> user request, the Ranger plugin checks for policies set through the Ranger
> Policy Manager. If there are no policies, the Ranger plugin checks for
> permissions set in HDFS.
> We recommend that permissions be created at the Ranger Policy Manager, and to
> have restrictive permissions at the HDFS level.²
>
> So setting very restrictive permissions with HDFS allows to manage entirely
> the cluster security with Ranger.
> Still, as I noticed some small mistakes, do you know how I can contribute to
> the documentation improvement ?
>
> Thanks for your help,
>
>
> Loïc
>
>
>
> De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco
> Durai
> Envoyé : mercredi 29 avril 2015 17:45
> À : user@ranger.incubator.apache.org
> Objet : Re: Troubles with HDFS policies
>
>
> Check hdfs dfs -ls $folderName. In the case of HDFS, if Ranger doesn¹t find
> any permission in it¹s policy database, then it falls back to HDFS permission
> check. So make sure in the HDFS level, you have 700 or even 000 for the given
> folder and manage all the permissions via Ranger. We recommend pick all
> relevant folders (e.g Hive data warehouse folder) and do hdfs dfs -chown -R
> hdfs:hdfs $folderName and hdfs dfs chmod 000 R $folderName.
>
>
>
> Please note, falling back to native permission is only available in HDFS.
> There is a switch to turn it off, but you have to be cautious when using it.
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
> From: Chanel Loïc <lo...@worldline.com>
> Reply-To: "user@ranger.incubator.apache.org"
> <us...@ranger.incubator.apache.org>
> Date: Wednesday, April 29, 2015 at 5:24 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Troubles with HDFS policies
>
>
>>
>> Hi All,
>>
>> As I am trying to set a Hadoop secured cluster with Ranger, I encountered
>> some troubles.
>> The principal one consists in the fact that even if I have no rights to read,
>> write or execute files in a directory, I still can execute a ls command (hdfs
>> dfs ls /testdir) showing me the files that I should not be able to read, or
>> even see. I can even see the file contents by making a cat on these files
>> (hdfs dfs cat /testdir/testfile) that I should not be able to read, which is
>> even more problematic to me.
>> In parallel, I am not able to put any files in the directory (Permission
>> denied for hdfs dfs put myotherfile /testdir/myotherfile), which makes me
>> think the policies are correctly set.
>>
>> Does that sound quite normal to you ? Do you see a solution to make sure my
>> user toto cannot see what is in the repository of my user tata ?
>> Thanks for your help,
>>
>>
>> Loïc Chanel
>>
>>
>>
>>
>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>> exclusif de ses destinataires. Il peut également être protégé par le secret
>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>> efforts soient faits pour maintenir cette transmission exempte de tout virus,
>> l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne
>> saurait être recherchée pour tout dommage résultant d'un virus transmis.
>>
>> This e-mail and the documents attached are confidential and intended solely
>> for the addressee; it may also be privileged. If you receive this e-mail in
>> error, please notify the sender immediately and destroy it. As its integrity
>> cannot be secured on the Internet, the Worldline liability cannot be
>> triggered for the message content. Although the sender endeavours to maintain
>> a computer virus-free network, the sender does not warrant that this
>> transmission is virus-free and will not be liable for any damages resulting
>> from any virus transmitted.
>
>
>
> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
> exclusif de ses destinataires. Il peut également être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
> être recherchée quant au contenu de ce message. Bien que les meilleurs efforts
> soient faits pour maintenir cette transmission exempte de tout virus,
> l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne
> saurait être recherchée pour tout dommage résultant d'un virus transmis.
>
> This e-mail and the documents attached are confidential and intended solely
> for the addressee; it may also be privileged. If you receive this e-mail in
> error, please notify the sender immediately and destroy it. As its integrity
> cannot be secured on the Internet, the Worldline liability cannot be triggered
> for the message content. Although the sender endeavours to maintain a computer
> virus-free network, the sender does not warrant that this transmission is
> virus-free and will not be liable for any damages resulting from any virus
> transmitted.
Re: Troubles with HDFS policies
Posted by Loïc Chanel <lo...@telecomnancy.net>.
I just created my account on JIRA.
My user ID is the same than in Confluence : bartimeux.
Regards,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-06-09 18:43 GMT+02:00 Don Bosco Durai <bo...@apache.org>:
> Loïc, thanks
>
> Can you also create a JIRA to track it? Selva can you help here to add
> Loïc to the contributor list?
>
> Thanks
>
> Bosco
>
>
> From: Loïc Chanel <lo...@telecomnancy.net>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Tuesday, June 9, 2015 at 7:52 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Re: Troubles with HDFS policies
>
> Hi,
>
> Actually, I still have to modify it, but I will complete it as I go
> further in Hadoop secured ecosystem deployment.
>
> The principal thing I wanted to document was the way to use Apache Knox,
> as I noticed some mistakes in the URLs for Knox usage described by the
> documentations I found on the Web (like unnecessary "/api").
> But as I am working on the deployment of a fully secured multi-tenant
> cluster providing services such as Spark, Hive and HBase, I will have to
> provide some documentation describing how to deploy Apache Ranger to manage
> security on these components.
>
> Therefore, that documentation should improve and complete what I started
> to write on Confluence.
>
> Regards,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-06-04 19:00 GMT+02:00 Don Bosco Durai <bo...@apache.org>:
>
>> Hi
>>
>> I apologize, I missed this email somehow.
>>
>> Thanks for putting this document together. It is looking good. I think,
>> this will be good starting point to build our user guide.
>>
>> I feel, we should list out the topics we want to document and share the
>> effort.
>>
>> Thanks again
>>
>> Bosco
>>
>> From: Chanel Loïc <lo...@worldline.com>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Tuesday, May 26, 2015 at 6:33 AM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: RE: Troubles with HDFS policies
>>
>> Hi Bosco,
>>
>>
>>
>> I wrote some paragraphs on the page
>> https://cwiki.apache.org/confluence/display/RANGER/Ranger+User+Guide
>>
>> As I only worked on Ranger and HDFS for now, it is the first part I
>> created, but I will document the other components in the upcoming weeks.
>>
>> Feel free to make any remarks, and to tell me if this suits you.
>>
>>
>>
>> In the meantime, I noticed some missing things and typo in Ranger
>> Hortonworks documentation. Can I help improving it somehow ?
>>
>>
>>
>> Thanks,
>>
>>
>>
>>
>>
>> Loïc
>>
>>
>>
>> *De :* Don Bosco Durai [mailto:bdurai@hortonworks.com
>> <bd...@hortonworks.com>] *De la part de* Don Bosco Durai
>> *Envoyé :* lundi 4 mai 2015 19:05
>> *À :* user@ranger.incubator.apache.org
>> *Objet :* Re: Troubles with HDFS policies
>>
>>
>>
>> I have given you the permission. Let’s co-ordinate on creating the user
>> guide page.
>>
>>
>>
>> Thanks
>>
>>
>>
>> Bosco
>>
>>
>>
>>
>>
>> *From: *Chanel Loïc <lo...@worldline.com>
>> *Reply-To: *"user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> *Date: *Monday, May 4, 2015 at 1:23 AM
>> *To: *"user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> *Subject: *RE: Troubles with HDFS policies
>>
>>
>>
>> Hi Bosco,
>>
>>
>>
>> I just created an account on Confluence, my user ID is bartimeux.
>>
>> Thanks,
>>
>>
>>
>>
>>
>> Loïc
>>
>>
>>
>> *De :* Don Bosco Durai [mailto:bdurai@hortonworks.com
>> <bd...@hortonworks.com>] *De la part de* Don Bosco Durai
>> *Envoyé :* vendredi 1 mai 2015 06:44
>> *À :* user@ranger.incubator.apache.org
>> *Objet :* Re: Troubles with HDFS policies
>>
>>
>>
>> Hi Loïc
>>
>>
>>
>> Thanks for the feedback.
>>
>>
>>
>> I think, you are referring to the Hortonworks documentation.
>>
>>
>>
>> We have a place holder in Apache Ranger Wiki site for user guide. We can
>> start working on it. If you can give your confluence id, we can give you
>> edit permission.
>>
>>
>>
>> Thanks
>>
>>
>>
>> Bosco
>>
>>
>>
>> *From: *Chanel Loïc <lo...@worldline.com>
>> *Reply-To: *"user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> *Date: *Thursday, April 30, 2015 at 1:32 AM
>> *To: *"user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> *Subject: *RE: Troubles with HDFS policies
>>
>>
>>
>> Hi,
>>
>>
>>
>> Indeed, the page 10 of the Ranger User Guide specifies :
>>
>>
>>
>> ”Through configuration, Apache Ranger enables both Ranger policies and
>> HDFS permissions to be checked for a user request. When the NameNode
>> receives a user request, the Ranger plugin checks for policies set through
>> the Ranger Policy Manager. If there are no policies, the Ranger plugin
>> checks for permissions set in HDFS.
>>
>> We recommend that permissions be created at the Ranger Policy Manager,
>> and to have restrictive permissions at the HDFS level.”
>>
>>
>>
>> So setting very restrictive permissions with HDFS allows to manage
>> entirely the cluster security with Ranger.
>>
>> Still, as I noticed some small mistakes, do you know how I can contribute
>> to the documentation improvement ?
>>
>>
>>
>> Thanks for your help,
>>
>>
>>
>>
>>
>> Loïc
>>
>>
>>
>>
>>
>> *De :* Don Bosco Durai [mailto:bdurai@hortonworks.com
>> <bd...@hortonworks.com>] *De la part de* Don Bosco Durai
>> *Envoyé :* mercredi 29 avril 2015 17:45
>> *À :* user@ranger.incubator.apache.org
>> *Objet :* Re: Troubles with HDFS policies
>>
>>
>>
>> Check hdfs dfs -ls $folderName. In the case of HDFS, if Ranger doesn’t
>> find any permission in it’s policy database, then it falls back to HDFS
>> permission check. So make sure in the HDFS level, you have 700 or even 000
>> for the given folder and manage all the permissions via Ranger. We
>> recommend pick all relevant folders (e.g Hive data warehouse folder) and do
>> hdfs dfs -chown -R hdfs:hdfs $folderName and hdfs dfs –chmod 000 –R
>> $folderName.
>>
>>
>>
>> Please note, falling back to native permission is only available in HDFS.
>> There is a switch to turn it off, but you have to be cautious when using it.
>>
>>
>>
>> Thanks
>>
>>
>>
>> Bosco
>>
>>
>>
>>
>>
>> *From: *Chanel Loïc <lo...@worldline.com>
>> *Reply-To: *"user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> *Date: *Wednesday, April 29, 2015 at 5:24 AM
>> *To: *"user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> *Subject: *Troubles with HDFS policies
>>
>>
>>
>> Hi All,
>>
>>
>>
>> As I am trying to set a Hadoop secured cluster with Ranger, I encountered
>> some troubles.
>>
>> The principal one consists in the fact that even if I have no rights to
>> read, write or execute files in a directory, I still can execute a ls
>> command (hdfs dfs –ls /testdir) showing me the files that I should not be
>> able to read, or even see. I can even see the file contents by making a cat
>> on these files (hdfs dfs –cat /testdir/testfile) that I should not be able
>> to read, which is even more problematic to me.
>>
>> In parallel, I am not able to put any files in the directory (Permission
>> denied for hdfs dfs –put myotherfile /testdir/myotherfile), which makes me
>> think the policies are correctly set.
>>
>>
>>
>> Does that sound quite normal to you ? Do you see a solution to make sure
>> my user toto cannot see what is in the repository of my user tata ?
>>
>> Thanks for your help,
>>
>>
>>
>>
>>
>> Loïc Chanel
>>
>>
>> ------------------------------
>>
>>
>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>> exclusif de ses destinataires. Il peut également être protégé par le secret
>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>> efforts soient faits pour maintenir cette transmission exempte de tout
>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
>> virus transmis.
>>
>> This e-mail and the documents attached are confidential and intended
>> solely for the addressee; it may also be privileged. If you receive this
>> e-mail in error, please notify the sender immediately and destroy it. As
>> its integrity cannot be secured on the Internet, the Worldline liability
>> cannot be triggered for the message content. Although the sender endeavours
>> to maintain a computer virus-free network, the sender does not warrant that
>> this transmission is virus-free and will not be liable for any damages
>> resulting from any virus transmitted.
>>
>>
>> ------------------------------
>>
>>
>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>> exclusif de ses destinataires. Il peut également être protégé par le secret
>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>> efforts soient faits pour maintenir cette transmission exempte de tout
>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
>> virus transmis.
>>
>> This e-mail and the documents attached are confidential and intended
>> solely for the addressee; it may also be privileged. If you receive this
>> e-mail in error, please notify the sender immediately and destroy it. As
>> its integrity cannot be secured on the Internet, the Worldline liability
>> cannot be triggered for the message content. Although the sender endeavours
>> to maintain a computer virus-free network, the sender does not warrant that
>> this transmission is virus-free and will not be liable for any damages
>> resulting from any virus transmitted.
>>
>>
>> ------------------------------
>>
>>
>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>> exclusif de ses destinataires. Il peut également être protégé par le secret
>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>> efforts soient faits pour maintenir cette transmission exempte de tout
>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
>> virus transmis.
>>
>> This e-mail and the documents attached are confidential and intended
>> solely for the addressee; it may also be privileged. If you receive this
>> e-mail in error, please notify the sender immediately and destroy it. As
>> its integrity cannot be secured on the Internet, the Worldline liability
>> cannot be triggered for the message content. Although the sender endeavours
>> to maintain a computer virus-free network, the sender does not warrant that
>> this transmission is virus-free and will not be liable for any damages
>> resulting from any virus transmitted.
>>
>>
>> ------------------------------
>>
>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>> exclusif de ses destinataires. Il peut également être protégé par le secret
>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>> efforts soient faits pour maintenir cette transmission exempte de tout
>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
>> virus transmis.
>>
>> This e-mail and the documents attached are confidential and intended
>> solely for the addressee; it may also be privileged. If you receive this
>> e-mail in error, please notify the sender immediately and destroy it. As
>> its integrity cannot be secured on the Internet, the Worldline liability
>> cannot be triggered for the message content. Although the sender endeavours
>> to maintain a computer virus-free network, the sender does not warrant that
>> this transmission is virus-free and will not be liable for any damages
>> resulting from any virus transmitted.
>>
>>
>
Re: Troubles with HDFS policies
Posted by Don Bosco Durai <bo...@apache.org>.
Loïc, thanks
Can you also create a JIRA to track it? Selva can you help here to add Loïc
to the contributor list?
Thanks
Bosco
From: Loïc Chanel <lo...@telecomnancy.net>
Reply-To: "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date: Tuesday, June 9, 2015 at 7:52 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: Troubles with HDFS policies
> Hi,
>
> Actually, I still have to modify it, but I will complete it as I go further in
> Hadoop secured ecosystem deployment.
>
> The principal thing I wanted to document was the way to use Apache Knox, as I
> noticed some mistakes in the URLs for Knox usage described by the
> documentations I found on the Web (like unnecessary "/api").
> But as I am working on the deployment of a fully secured multi-tenant cluster
> providing services such as Spark, Hive and HBase, I will have to provide some
> documentation describing how to deploy Apache Ranger to manage security on
> these components.
>
> Therefore, that documentation should improve and complete what I started to
> write on Confluence.
>
> Regards,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-06-04 19:00 GMT+02:00 Don Bosco Durai <bo...@apache.org>:
>> Hi
>>
>> I apologize, I missed this email somehow.
>>
>> Thanks for putting this document together. It is looking good. I think, this
>> will be good starting point to build our user guide.
>>
>> I feel, we should list out the topics we want to document and share the
>> effort.
>>
>> Thanks again
>>
>> Bosco
>>
>> From: Chanel Loïc <lo...@worldline.com>
>> Reply-To: "user@ranger.incubator.apache.org"
>> <us...@ranger.incubator.apache.org>
>> Date: Tuesday, May 26, 2015 at 6:33 AM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: RE: Troubles with HDFS policies
>>
>>> Hi Bosco,
>>>
>>> I wrote some paragraphs on the page
>>> https://cwiki.apache.org/confluence/display/RANGER/Ranger+User+Guide
>>> As I only worked on Ranger and HDFS for now, it is the first part I created,
>>> but I will document the other components in the upcoming weeks.
>>> Feel free to make any remarks, and to tell me if this suits you.
>>>
>>> In the meantime, I noticed some missing things and typo in Ranger
>>> Hortonworks documentation. Can I help improving it somehow ?
>>>
>>> Thanks,
>>>
>>>
>>> Loïc
>>>
>>>
>>> De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco
>>> Durai
>>> Envoyé : lundi 4 mai 2015 19:05
>>> À : user@ranger.incubator.apache.org
>>> Objet : Re: Troubles with HDFS policies
>>>
>>>
>>> I have given you the permission. Let¹s co-ordinate on creating the user
>>> guide page.
>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>> Bosco
>>>
>>>
>>>
>>>
>>>
>>> From: Chanel Loïc <lo...@worldline.com>
>>> Reply-To: "user@ranger.incubator.apache.org"
>>> <us...@ranger.incubator.apache.org>
>>> Date: Monday, May 4, 2015 at 1:23 AM
>>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>>> Subject: RE: Troubles with HDFS policies
>>>
>>>
>>>>
>>>> Hi Bosco,
>>>>
>>>> I just created an account on Confluence, my user ID is bartimeux.
>>>> Thanks,
>>>>
>>>>
>>>> Loïc
>>>>
>>>>
>>>> De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don
>>>> Bosco Durai
>>>> Envoyé : vendredi 1 mai 2015 06:44
>>>> À : user@ranger.incubator.apache.org
>>>> Objet : Re: Troubles with HDFS policies
>>>>
>>>>
>>>> Hi Loïc
>>>>
>>>>
>>>>
>>>> Thanks for the feedback.
>>>>
>>>>
>>>>
>>>> I think, you are referring to the Hortonworks documentation.
>>>>
>>>>
>>>>
>>>> We have a place holder in Apache Ranger Wiki site for user guide. We can
>>>> start working on it. If you can give your confluence id, we can give you
>>>> edit permission.
>>>>
>>>>
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>> Bosco
>>>>
>>>>
>>>>
>>>> From: Chanel Loïc <lo...@worldline.com>
>>>> Reply-To: "user@ranger.incubator.apache.org"
>>>> <us...@ranger.incubator.apache.org>
>>>> Date: Thursday, April 30, 2015 at 1:32 AM
>>>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>>>> Subject: RE: Troubles with HDFS policies
>>>>
>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> Indeed, the page 10 of the Ranger User Guide specifies :
>>>>>
>>>>> ²Through configuration, Apache Ranger enables both Ranger policies and
>>>>> HDFS permissions to be checked for a user request. When the NameNode
>>>>> receives a user request, the Ranger plugin checks for policies set through
>>>>> the Ranger Policy Manager. If there are no policies, the Ranger plugin
>>>>> checks for permissions set in HDFS.
>>>>> We recommend that permissions be created at the Ranger Policy Manager, and
>>>>> to have restrictive permissions at the HDFS level.²
>>>>>
>>>>> So setting very restrictive permissions with HDFS allows to manage
>>>>> entirely the cluster security with Ranger.
>>>>> Still, as I noticed some small mistakes, do you know how I can contribute
>>>>> to the documentation improvement ?
>>>>>
>>>>> Thanks for your help,
>>>>>
>>>>>
>>>>> Loïc
>>>>>
>>>>>
>>>>>
>>>>> De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don
>>>>> Bosco Durai
>>>>> Envoyé : mercredi 29 avril 2015 17:45
>>>>> À : user@ranger.incubator.apache.org
>>>>> Objet : Re: Troubles with HDFS policies
>>>>>
>>>>>
>>>>> Check hdfs dfs -ls $folderName. In the case of HDFS, if Ranger doesn¹t
>>>>> find any permission in it¹s policy database, then it falls back to HDFS
>>>>> permission check. So make sure in the HDFS level, you have 700 or even 000
>>>>> for the given folder and manage all the permissions via Ranger. We
>>>>> recommend pick all relevant folders (e.g Hive data warehouse folder) and
>>>>> do hdfs dfs -chown -R hdfs:hdfs $folderName and hdfs dfs chmod 000 R
>>>>> $folderName.
>>>>>
>>>>>
>>>>>
>>>>> Please note, falling back to native permission is only available in HDFS.
>>>>> There is a switch to turn it off, but you have to be cautious when using
>>>>> it.
>>>>>
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>> Bosco
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> From: Chanel Loïc <lo...@worldline.com>
>>>>> Reply-To: "user@ranger.incubator.apache.org"
>>>>> <us...@ranger.incubator.apache.org>
>>>>> Date: Wednesday, April 29, 2015 at 5:24 AM
>>>>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>>>>> Subject: Troubles with HDFS policies
>>>>>
>>>>>
>>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> As I am trying to set a Hadoop secured cluster with Ranger, I encountered
>>>>>> some troubles.
>>>>>> The principal one consists in the fact that even if I have no rights to
>>>>>> read, write or execute files in a directory, I still can execute a ls
>>>>>> command (hdfs dfs ls /testdir) showing me the files that I should not be
>>>>>> able to read, or even see. I can even see the file contents by making a
>>>>>> cat on these files (hdfs dfs cat /testdir/testfile) that I should not be
>>>>>> able to read, which is even more problematic to me.
>>>>>> In parallel, I am not able to put any files in the directory (Permission
>>>>>> denied for hdfs dfs put myotherfile /testdir/myotherfile), which makes
>>>>>> me think the policies are correctly set.
>>>>>>
>>>>>> Does that sound quite normal to you ? Do you see a solution to make sure
>>>>>> my user toto cannot see what is in the repository of my user tata ?
>>>>>> Thanks for your help,
>>>>>>
>>>>>>
>>>>>> Loïc Chanel
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>>>>>> exclusif de ses destinataires. Il peut également être protégé par le
>>>>>> secret professionnel. Si vous recevez ce message par erreur, merci d'en
>>>>>> avertir immédiatement l'expéditeur et de le détruire. L'intégrité du
>>>>>> message ne pouvant être assurée sur Internet, la responsabilité de
>>>>>> Worldline ne pourra être recherchée quant au contenu de ce message. Bien
>>>>>> que les meilleurs efforts soient faits pour maintenir cette transmission
>>>>>> exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard
>>>>>> et sa responsabilité ne saurait être recherchée pour tout dommage
>>>>>> résultant d'un virus transmis.
>>>>>>
>>>>>> This e-mail and the documents attached are confidential and intended
>>>>>> solely for the addressee; it may also be privileged. If you receive this
>>>>>> e-mail in error, please notify the sender immediately and destroy it. As
>>>>>> its integrity cannot be secured on the Internet, the Worldline liability
>>>>>> cannot be triggered for the message content. Although the sender
>>>>>> endeavours to maintain a computer virus-free network, the sender does not
>>>>>> warrant that this transmission is virus-free and will not be liable for
>>>>>> any damages resulting from any virus transmitted.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>>>>> exclusif de ses destinataires. Il peut également être protégé par le
>>>>> secret professionnel. Si vous recevez ce message par erreur, merci d'en
>>>>> avertir immédiatement l'expéditeur et de le détruire. L'intégrité du
>>>>> message ne pouvant être assurée sur Internet, la responsabilité de
>>>>> Worldline ne pourra être recherchée quant au contenu de ce message. Bien
>>>>> que les meilleurs efforts soient faits pour maintenir cette transmission
>>>>> exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard
>>>>> et sa responsabilité ne saurait être recherchée pour tout dommage
>>>>> résultant d'un virus transmis.
>>>>>
>>>>> This e-mail and the documents attached are confidential and intended
>>>>> solely for the addressee; it may also be privileged. If you receive this
>>>>> e-mail in error, please notify the sender immediately and destroy it. As
>>>>> its integrity cannot be secured on the Internet, the Worldline liability
>>>>> cannot be triggered for the message content. Although the sender
>>>>> endeavours to maintain a computer virus-free network, the sender does not
>>>>> warrant that this transmission is virus-free and will not be liable for
>>>>> any damages resulting from any virus transmitted.
>>>>
>>>>
>>>>
>>>>
>>>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>>>> exclusif de ses destinataires. Il peut également être protégé par le secret
>>>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>>>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>>>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>>>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>>>> efforts soient faits pour maintenir cette transmission exempte de tout
>>>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
>>>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
>>>> virus transmis.
>>>>
>>>> This e-mail and the documents attached are confidential and intended solely
>>>> for the addressee; it may also be privileged. If you receive this e-mail in
>>>> error, please notify the sender immediately and destroy it. As its
>>>> integrity cannot be secured on the Internet, the Worldline liability cannot
>>>> be triggered for the message content. Although the sender endeavours to
>>>> maintain a computer virus-free network, the sender does not warrant that
>>>> this transmission is virus-free and will not be liable for any damages
>>>> resulting from any virus transmitted.
>>>
>>>
>>>
>>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>>> exclusif de ses destinataires. Il peut également être protégé par le secret
>>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>>> efforts soient faits pour maintenir cette transmission exempte de tout
>>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
>>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
>>> virus transmis.
>>>
>>> This e-mail and the documents attached are confidential and intended solely
>>> for the addressee; it may also be privileged. If you receive this e-mail in
>>> error, please notify the sender immediately and destroy it. As its integrity
>>> cannot be secured on the Internet, the Worldline liability cannot be
>>> triggered for the message content. Although the sender endeavours to
>>> maintain a computer virus-free network, the sender does not warrant that
>>> this transmission is virus-free and will not be liable for any damages
>>> resulting from any virus transmitted.
>
Re: Troubles with HDFS policies
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Hi,
Actually, I still have to modify it, but I will complete it as I go further
in Hadoop secured ecosystem deployment.
The principal thing I wanted to document was the way to use Apache Knox, as
I noticed some mistakes in the URLs for Knox usage described by the
documentations I found on the Web (like unnecessary "/api").
But as I am working on the deployment of a fully secured multi-tenant
cluster providing services such as Spark, Hive and HBase, I will have to
provide some documentation describing how to deploy Apache Ranger to manage
security on these components.
Therefore, that documentation should improve and complete what I started to
write on Confluence.
Regards,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-06-04 19:00 GMT+02:00 Don Bosco Durai <bo...@apache.org>:
> Hi
>
> I apologize, I missed this email somehow.
>
> Thanks for putting this document together. It is looking good. I think,
> this will be good starting point to build our user guide.
>
> I feel, we should list out the topics we want to document and share the
> effort.
>
> Thanks again
>
> Bosco
>
> From: Chanel Loïc <lo...@worldline.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Tuesday, May 26, 2015 at 6:33 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: RE: Troubles with HDFS policies
>
> Hi Bosco,
>
>
>
> I wrote some paragraphs on the page
> https://cwiki.apache.org/confluence/display/RANGER/Ranger+User+Guide
>
> As I only worked on Ranger and HDFS for now, it is the first part I
> created, but I will document the other components in the upcoming weeks.
>
> Feel free to make any remarks, and to tell me if this suits you.
>
>
>
> In the meantime, I noticed some missing things and typo in Ranger
> Hortonworks documentation. Can I help improving it somehow ?
>
>
>
> Thanks,
>
>
>
>
>
> Loïc
>
>
>
> *De :* Don Bosco Durai [mailto:bdurai@hortonworks.com
> <bd...@hortonworks.com>] *De la part de* Don Bosco Durai
> *Envoyé :* lundi 4 mai 2015 19:05
> *À :* user@ranger.incubator.apache.org
> *Objet :* Re: Troubles with HDFS policies
>
>
>
> I have given you the permission. Let’s co-ordinate on creating the user
> guide page.
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
> *From: *Chanel Loïc <lo...@worldline.com>
> *Reply-To: *"user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> *Date: *Monday, May 4, 2015 at 1:23 AM
> *To: *"user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org
> >
> *Subject: *RE: Troubles with HDFS policies
>
>
>
> Hi Bosco,
>
>
>
> I just created an account on Confluence, my user ID is bartimeux.
>
> Thanks,
>
>
>
>
>
> Loïc
>
>
>
> *De :* Don Bosco Durai [mailto:bdurai@hortonworks.com
> <bd...@hortonworks.com>] *De la part de* Don Bosco Durai
> *Envoyé :* vendredi 1 mai 2015 06:44
> *À :* user@ranger.incubator.apache.org
> *Objet :* Re: Troubles with HDFS policies
>
>
>
> Hi Loïc
>
>
>
> Thanks for the feedback.
>
>
>
> I think, you are referring to the Hortonworks documentation.
>
>
>
> We have a place holder in Apache Ranger Wiki site for user guide. We can
> start working on it. If you can give your confluence id, we can give you
> edit permission.
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
> *From: *Chanel Loïc <lo...@worldline.com>
> *Reply-To: *"user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> *Date: *Thursday, April 30, 2015 at 1:32 AM
> *To: *"user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org
> >
> *Subject: *RE: Troubles with HDFS policies
>
>
>
> Hi,
>
>
>
> Indeed, the page 10 of the Ranger User Guide specifies :
>
>
>
> ”Through configuration, Apache Ranger enables both Ranger policies and
> HDFS permissions to be checked for a user request. When the NameNode
> receives a user request, the Ranger plugin checks for policies set through
> the Ranger Policy Manager. If there are no policies, the Ranger plugin
> checks for permissions set in HDFS.
>
> We recommend that permissions be created at the Ranger Policy Manager, and
> to have restrictive permissions at the HDFS level.”
>
>
>
> So setting very restrictive permissions with HDFS allows to manage
> entirely the cluster security with Ranger.
>
> Still, as I noticed some small mistakes, do you know how I can contribute
> to the documentation improvement ?
>
>
>
> Thanks for your help,
>
>
>
>
>
> Loïc
>
>
>
>
>
> *De :* Don Bosco Durai [mailto:bdurai@hortonworks.com
> <bd...@hortonworks.com>] *De la part de* Don Bosco Durai
> *Envoyé :* mercredi 29 avril 2015 17:45
> *À :* user@ranger.incubator.apache.org
> *Objet :* Re: Troubles with HDFS policies
>
>
>
> Check hdfs dfs -ls $folderName. In the case of HDFS, if Ranger doesn’t
> find any permission in it’s policy database, then it falls back to HDFS
> permission check. So make sure in the HDFS level, you have 700 or even 000
> for the given folder and manage all the permissions via Ranger. We
> recommend pick all relevant folders (e.g Hive data warehouse folder) and do
> hdfs dfs -chown -R hdfs:hdfs $folderName and hdfs dfs –chmod 000 –R
> $folderName.
>
>
>
> Please note, falling back to native permission is only available in HDFS.
> There is a switch to turn it off, but you have to be cautious when using it.
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
> *From: *Chanel Loïc <lo...@worldline.com>
> *Reply-To: *"user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> *Date: *Wednesday, April 29, 2015 at 5:24 AM
> *To: *"user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org
> >
> *Subject: *Troubles with HDFS policies
>
>
>
> Hi All,
>
>
>
> As I am trying to set a Hadoop secured cluster with Ranger, I encountered
> some troubles.
>
> The principal one consists in the fact that even if I have no rights to
> read, write or execute files in a directory, I still can execute a ls
> command (hdfs dfs –ls /testdir) showing me the files that I should not be
> able to read, or even see. I can even see the file contents by making a cat
> on these files (hdfs dfs –cat /testdir/testfile) that I should not be able
> to read, which is even more problematic to me.
>
> In parallel, I am not able to put any files in the directory (Permission
> denied for hdfs dfs –put myotherfile /testdir/myotherfile), which makes me
> think the policies are correctly set.
>
>
>
> Does that sound quite normal to you ? Do you see a solution to make sure
> my user toto cannot see what is in the repository of my user tata ?
>
> Thanks for your help,
>
>
>
>
>
> Loïc Chanel
>
>
> ------------------------------
>
>
> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
> exclusif de ses destinataires. Il peut également être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
> être recherchée quant au contenu de ce message. Bien que les meilleurs
> efforts soient faits pour maintenir cette transmission exempte de tout
> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
> virus transmis.
>
> This e-mail and the documents attached are confidential and intended
> solely for the addressee; it may also be privileged. If you receive this
> e-mail in error, please notify the sender immediately and destroy it. As
> its integrity cannot be secured on the Internet, the Worldline liability
> cannot be triggered for the message content. Although the sender endeavours
> to maintain a computer virus-free network, the sender does not warrant that
> this transmission is virus-free and will not be liable for any damages
> resulting from any virus transmitted.
>
>
> ------------------------------
>
>
> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
> exclusif de ses destinataires. Il peut également être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
> être recherchée quant au contenu de ce message. Bien que les meilleurs
> efforts soient faits pour maintenir cette transmission exempte de tout
> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
> virus transmis.
>
> This e-mail and the documents attached are confidential and intended
> solely for the addressee; it may also be privileged. If you receive this
> e-mail in error, please notify the sender immediately and destroy it. As
> its integrity cannot be secured on the Internet, the Worldline liability
> cannot be triggered for the message content. Although the sender endeavours
> to maintain a computer virus-free network, the sender does not warrant that
> this transmission is virus-free and will not be liable for any damages
> resulting from any virus transmitted.
>
>
> ------------------------------
>
>
> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
> exclusif de ses destinataires. Il peut également être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
> être recherchée quant au contenu de ce message. Bien que les meilleurs
> efforts soient faits pour maintenir cette transmission exempte de tout
> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
> virus transmis.
>
> This e-mail and the documents attached are confidential and intended
> solely for the addressee; it may also be privileged. If you receive this
> e-mail in error, please notify the sender immediately and destroy it. As
> its integrity cannot be secured on the Internet, the Worldline liability
> cannot be triggered for the message content. Although the sender endeavours
> to maintain a computer virus-free network, the sender does not warrant that
> this transmission is virus-free and will not be liable for any damages
> resulting from any virus transmitted.
>
>
> ------------------------------
>
> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
> exclusif de ses destinataires. Il peut également être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
> être recherchée quant au contenu de ce message. Bien que les meilleurs
> efforts soient faits pour maintenir cette transmission exempte de tout
> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
> virus transmis.
>
> This e-mail and the documents attached are confidential and intended
> solely for the addressee; it may also be privileged. If you receive this
> e-mail in error, please notify the sender immediately and destroy it. As
> its integrity cannot be secured on the Internet, the Worldline liability
> cannot be triggered for the message content. Although the sender endeavours
> to maintain a computer virus-free network, the sender does not warrant that
> this transmission is virus-free and will not be liable for any damages
> resulting from any virus transmitted.
>
>
Re: Troubles with HDFS policies
Posted by Don Bosco Durai <bo...@apache.org>.
Hi
I apologize, I missed this email somehow.
Thanks for putting this document together. It is looking good. I think, this
will be good starting point to build our user guide.
I feel, we should list out the topics we want to document and share the
effort.
Thanks again
Bosco
From: Chanel Loïc <lo...@worldline.com>
Reply-To: "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date: Tuesday, May 26, 2015 at 6:33 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: RE: Troubles with HDFS policies
> Hi Bosco,
>
> I wrote some paragraphs on the page
> https://cwiki.apache.org/confluence/display/RANGER/Ranger+User+Guide
> As I only worked on Ranger and HDFS for now, it is the first part I created,
> but I will document the other components in the upcoming weeks.
> Feel free to make any remarks, and to tell me if this suits you.
>
> In the meantime, I noticed some missing things and typo in Ranger Hortonworks
> documentation. Can I help improving it somehow ?
>
> Thanks,
>
>
> Loïc
>
>
> De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco
> Durai
> Envoyé : lundi 4 mai 2015 19:05
> À : user@ranger.incubator.apache.org
> Objet : Re: Troubles with HDFS policies
>
>
> I have given you the permission. Let¹s co-ordinate on creating the user guide
> page.
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
> From: Chanel Loïc <lo...@worldline.com>
> Reply-To: "user@ranger.incubator.apache.org"
> <us...@ranger.incubator.apache.org>
> Date: Monday, May 4, 2015 at 1:23 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: RE: Troubles with HDFS policies
>
>
>>
>> Hi Bosco,
>>
>> I just created an account on Confluence, my user ID is bartimeux.
>> Thanks,
>>
>>
>> Loïc
>>
>>
>> De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco
>> Durai
>> Envoyé : vendredi 1 mai 2015 06:44
>> À : user@ranger.incubator.apache.org
>> Objet : Re: Troubles with HDFS policies
>>
>>
>> Hi Loïc
>>
>>
>>
>> Thanks for the feedback.
>>
>>
>>
>> I think, you are referring to the Hortonworks documentation.
>>
>>
>>
>> We have a place holder in Apache Ranger Wiki site for user guide. We can
>> start working on it. If you can give your confluence id, we can give you edit
>> permission.
>>
>>
>>
>> Thanks
>>
>>
>>
>> Bosco
>>
>>
>>
>> From: Chanel Loïc <lo...@worldline.com>
>> Reply-To: "user@ranger.incubator.apache.org"
>> <us...@ranger.incubator.apache.org>
>> Date: Thursday, April 30, 2015 at 1:32 AM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: RE: Troubles with HDFS policies
>>
>>
>>>
>>> Hi,
>>>
>>> Indeed, the page 10 of the Ranger User Guide specifies :
>>>
>>> ²Through configuration, Apache Ranger enables both Ranger policies and HDFS
>>> permissions to be checked for a user request. When the NameNode receives a
>>> user request, the Ranger plugin checks for policies set through the Ranger
>>> Policy Manager. If there are no policies, the Ranger plugin checks for
>>> permissions set in HDFS.
>>> We recommend that permissions be created at the Ranger Policy Manager, and
>>> to have restrictive permissions at the HDFS level.²
>>>
>>> So setting very restrictive permissions with HDFS allows to manage entirely
>>> the cluster security with Ranger.
>>> Still, as I noticed some small mistakes, do you know how I can contribute to
>>> the documentation improvement ?
>>>
>>> Thanks for your help,
>>>
>>>
>>> Loïc
>>>
>>>
>>>
>>> De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco
>>> Durai
>>> Envoyé : mercredi 29 avril 2015 17:45
>>> À : user@ranger.incubator.apache.org
>>> Objet : Re: Troubles with HDFS policies
>>>
>>>
>>> Check hdfs dfs -ls $folderName. In the case of HDFS, if Ranger doesn¹t find
>>> any permission in it¹s policy database, then it falls back to HDFS
>>> permission check. So make sure in the HDFS level, you have 700 or even 000
>>> for the given folder and manage all the permissions via Ranger. We recommend
>>> pick all relevant folders (e.g Hive data warehouse folder) and do hdfs dfs
>>> -chown -R hdfs:hdfs $folderName and hdfs dfs chmod 000 R $folderName.
>>>
>>>
>>>
>>> Please note, falling back to native permission is only available in HDFS.
>>> There is a switch to turn it off, but you have to be cautious when using it.
>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>> Bosco
>>>
>>>
>>>
>>>
>>>
>>> From: Chanel Loïc <lo...@worldline.com>
>>> Reply-To: "user@ranger.incubator.apache.org"
>>> <us...@ranger.incubator.apache.org>
>>> Date: Wednesday, April 29, 2015 at 5:24 AM
>>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>>> Subject: Troubles with HDFS policies
>>>
>>>
>>>>
>>>> Hi All,
>>>>
>>>> As I am trying to set a Hadoop secured cluster with Ranger, I encountered
>>>> some troubles.
>>>> The principal one consists in the fact that even if I have no rights to
>>>> read, write or execute files in a directory, I still can execute a ls
>>>> command (hdfs dfs ls /testdir) showing me the files that I should not be
>>>> able to read, or even see. I can even see the file contents by making a cat
>>>> on these files (hdfs dfs cat /testdir/testfile) that I should not be able
>>>> to read, which is even more problematic to me.
>>>> In parallel, I am not able to put any files in the directory (Permission
>>>> denied for hdfs dfs put myotherfile /testdir/myotherfile), which makes me
>>>> think the policies are correctly set.
>>>>
>>>> Does that sound quite normal to you ? Do you see a solution to make sure my
>>>> user toto cannot see what is in the repository of my user tata ?
>>>> Thanks for your help,
>>>>
>>>>
>>>> Loïc Chanel
>>>>
>>>>
>>>>
>>>>
>>>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>>>> exclusif de ses destinataires. Il peut également être protégé par le secret
>>>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>>>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>>>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>>>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>>>> efforts soient faits pour maintenir cette transmission exempte de tout
>>>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
>>>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
>>>> virus transmis.
>>>>
>>>> This e-mail and the documents attached are confidential and intended solely
>>>> for the addressee; it may also be privileged. If you receive this e-mail in
>>>> error, please notify the sender immediately and destroy it. As its
>>>> integrity cannot be secured on the Internet, the Worldline liability cannot
>>>> be triggered for the message content. Although the sender endeavours to
>>>> maintain a computer virus-free network, the sender does not warrant that
>>>> this transmission is virus-free and will not be liable for any damages
>>>> resulting from any virus transmitted.
>>>
>>>
>>>
>>>
>>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>>> exclusif de ses destinataires. Il peut également être protégé par le secret
>>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>>> efforts soient faits pour maintenir cette transmission exempte de tout
>>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
>>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
>>> virus transmis.
>>>
>>> This e-mail and the documents attached are confidential and intended solely
>>> for the addressee; it may also be privileged. If you receive this e-mail in
>>> error, please notify the sender immediately and destroy it. As its integrity
>>> cannot be secured on the Internet, the Worldline liability cannot be
>>> triggered for the message content. Although the sender endeavours to
>>> maintain a computer virus-free network, the sender does not warrant that
>>> this transmission is virus-free and will not be liable for any damages
>>> resulting from any virus transmitted.
>>
>>
>>
>>
>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>> exclusif de ses destinataires. Il peut également être protégé par le secret
>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>> efforts soient faits pour maintenir cette transmission exempte de tout virus,
>> l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne
>> saurait être recherchée pour tout dommage résultant d'un virus transmis.
>>
>> This e-mail and the documents attached are confidential and intended solely
>> for the addressee; it may also be privileged. If you receive this e-mail in
>> error, please notify the sender immediately and destroy it. As its integrity
>> cannot be secured on the Internet, the Worldline liability cannot be
>> triggered for the message content. Although the sender endeavours to maintain
>> a computer virus-free network, the sender does not warrant that this
>> transmission is virus-free and will not be liable for any damages resulting
>> from any virus transmitted.
>
>
>
> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
> exclusif de ses destinataires. Il peut également être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
> être recherchée quant au contenu de ce message. Bien que les meilleurs efforts
> soient faits pour maintenir cette transmission exempte de tout virus,
> l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne
> saurait être recherchée pour tout dommage résultant d'un virus transmis.
>
> This e-mail and the documents attached are confidential and intended solely
> for the addressee; it may also be privileged. If you receive this e-mail in
> error, please notify the sender immediately and destroy it. As its integrity
> cannot be secured on the Internet, the Worldline liability cannot be triggered
> for the message content. Although the sender endeavours to maintain a computer
> virus-free network, the sender does not warrant that this transmission is
> virus-free and will not be liable for any damages resulting from any virus
> transmitted.
RE: Troubles with HDFS policies
Posted by Chanel Loïc <lo...@worldline.com>.
Hi Bosco,
I wrote some paragraphs on the page https://cwiki.apache.org/confluence/display/RANGER/Ranger+User+Guide
As I only worked on Ranger and HDFS for now, it is the first part I created, but I will document the other components in the upcoming weeks.
Feel free to make any remarks, and to tell me if this suits you.
In the meantime, I noticed some missing things and typo in Ranger Hortonworks documentation. Can I help improving it somehow ?
Thanks,
Loïc
De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco Durai
Envoyé : lundi 4 mai 2015 19:05
À : user@ranger.incubator.apache.org
Objet : Re: Troubles with HDFS policies
I have given you the permission. Let's co-ordinate on creating the user guide page.
Thanks
Bosco
From: Chanel Loïc <lo...@worldline.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Monday, May 4, 2015 at 1:23 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: RE: Troubles with HDFS policies
Hi Bosco,
I just created an account on Confluence, my user ID is bartimeux.
Thanks,
Loïc
De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco Durai
Envoyé : vendredi 1 mai 2015 06:44
À : user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>
Objet : Re: Troubles with HDFS policies
Hi Loïc
Thanks for the feedback.
I think, you are referring to the Hortonworks documentation.
We have a place holder in Apache Ranger Wiki site for user guide. We can start working on it. If you can give your confluence id, we can give you edit permission.
Thanks
Bosco
From: Chanel Loïc <lo...@worldline.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Thursday, April 30, 2015 at 1:32 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: RE: Troubles with HDFS policies
Hi,
Indeed, the page 10 of the Ranger User Guide specifies :
"Through configuration, Apache Ranger enables both Ranger policies and HDFS permissions to be checked for a user request. When the NameNode receives a user request, the Ranger plugin checks for policies set through the Ranger Policy Manager. If there are no policies, the Ranger plugin checks for permissions set in HDFS.
We recommend that permissions be created at the Ranger Policy Manager, and to have restrictive permissions at the HDFS level."
So setting very restrictive permissions with HDFS allows to manage entirely the cluster security with Ranger.
Still, as I noticed some small mistakes, do you know how I can contribute to the documentation improvement ?
Thanks for your help,
Loïc
De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco Durai
Envoyé : mercredi 29 avril 2015 17:45
À : user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>
Objet : Re: Troubles with HDFS policies
Check hdfs dfs -ls $folderName. In the case of HDFS, if Ranger doesn't find any permission in it's policy database, then it falls back to HDFS permission check. So make sure in the HDFS level, you have 700 or even 000 for the given folder and manage all the permissions via Ranger. We recommend pick all relevant folders (e.g Hive data warehouse folder) and do hdfs dfs -chown -R hdfs:hdfs $folderName and hdfs dfs -chmod 000 -R $folderName.
Please note, falling back to native permission is only available in HDFS. There is a switch to turn it off, but you have to be cautious when using it.
Thanks
Bosco
From: Chanel Loïc <lo...@worldline.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Wednesday, April 29, 2015 at 5:24 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Troubles with HDFS policies
Hi All,
As I am trying to set a Hadoop secured cluster with Ranger, I encountered some troubles.
The principal one consists in the fact that even if I have no rights to read, write or execute files in a directory, I still can execute a ls command (hdfs dfs -ls /testdir) showing me the files that I should not be able to read, or even see. I can even see the file contents by making a cat on these files (hdfs dfs -cat /testdir/testfile) that I should not be able to read, which is even more problematic to me.
In parallel, I am not able to put any files in the directory (Permission denied for hdfs dfs -put myotherfile /testdir/myotherfile), which makes me think the policies are correctly set.
Does that sound quite normal to you ? Do you see a solution to make sure my user toto cannot see what is in the repository of my user tata ?
Thanks for your help,
Loïc Chanel
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Re: Troubles with HDFS policies
Posted by Don Bosco Durai <bo...@apache.org>.
I have given you the permission. Let¹s co-ordinate on creating the user
guide page.
Thanks
Bosco
From: Chanel Loïc <lo...@worldline.com>
Reply-To: "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date: Monday, May 4, 2015 at 1:23 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: RE: Troubles with HDFS policies
> Hi Bosco,
>
> I just created an account on Confluence, my user ID is bartimeux.
> Thanks,
>
>
> Loïc
>
>
> De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco
> Durai
> Envoyé : vendredi 1 mai 2015 06:44
> À : user@ranger.incubator.apache.org
> Objet : Re: Troubles with HDFS policies
>
>
> Hi Loïc
>
>
>
> Thanks for the feedback.
>
>
>
> I think, you are referring to the Hortonworks documentation.
>
>
>
> We have a place holder in Apache Ranger Wiki site for user guide. We can start
> working on it. If you can give your confluence id, we can give you edit
> permission.
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
> From: Chanel Loïc <lo...@worldline.com>
> Reply-To: "user@ranger.incubator.apache.org"
> <us...@ranger.incubator.apache.org>
> Date: Thursday, April 30, 2015 at 1:32 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: RE: Troubles with HDFS policies
>
>
>>
>> Hi,
>>
>> Indeed, the page 10 of the Ranger User Guide specifies :
>>
>> ²Through configuration, Apache Ranger enables both Ranger policies and HDFS
>> permissions to be checked for a user request. When the NameNode receives a
>> user request, the Ranger plugin checks for policies set through the Ranger
>> Policy Manager. If there are no policies, the Ranger plugin checks for
>> permissions set in HDFS.
>> We recommend that permissions be created at the Ranger Policy Manager, and to
>> have restrictive permissions at the HDFS level.²
>>
>> So setting very restrictive permissions with HDFS allows to manage entirely
>> the cluster security with Ranger.
>> Still, as I noticed some small mistakes, do you know how I can contribute to
>> the documentation improvement ?
>>
>> Thanks for your help,
>>
>>
>> Loïc
>>
>>
>>
>> De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco
>> Durai
>> Envoyé : mercredi 29 avril 2015 17:45
>> À : user@ranger.incubator.apache.org
>> Objet : Re: Troubles with HDFS policies
>>
>>
>> Check hdfs dfs -ls $folderName. In the case of HDFS, if Ranger doesn¹t find
>> any permission in it¹s policy database, then it falls back to HDFS permission
>> check. So make sure in the HDFS level, you have 700 or even 000 for the given
>> folder and manage all the permissions via Ranger. We recommend pick all
>> relevant folders (e.g Hive data warehouse folder) and do hdfs dfs -chown -R
>> hdfs:hdfs $folderName and hdfs dfs chmod 000 R $folderName.
>>
>>
>>
>> Please note, falling back to native permission is only available in HDFS.
>> There is a switch to turn it off, but you have to be cautious when using it.
>>
>>
>>
>> Thanks
>>
>>
>>
>> Bosco
>>
>>
>>
>>
>>
>> From: Chanel Loïc <lo...@worldline.com>
>> Reply-To: "user@ranger.incubator.apache.org"
>> <us...@ranger.incubator.apache.org>
>> Date: Wednesday, April 29, 2015 at 5:24 AM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: Troubles with HDFS policies
>>
>>
>>>
>>> Hi All,
>>>
>>> As I am trying to set a Hadoop secured cluster with Ranger, I encountered
>>> some troubles.
>>> The principal one consists in the fact that even if I have no rights to
>>> read, write or execute files in a directory, I still can execute a ls
>>> command (hdfs dfs ls /testdir) showing me the files that I should not be
>>> able to read, or even see. I can even see the file contents by making a cat
>>> on these files (hdfs dfs cat /testdir/testfile) that I should not be able
>>> to read, which is even more problematic to me.
>>> In parallel, I am not able to put any files in the directory (Permission
>>> denied for hdfs dfs put myotherfile /testdir/myotherfile), which makes me
>>> think the policies are correctly set.
>>>
>>> Does that sound quite normal to you ? Do you see a solution to make sure my
>>> user toto cannot see what is in the repository of my user tata ?
>>> Thanks for your help,
>>>
>>>
>>> Loïc Chanel
>>>
>>>
>>>
>>>
>>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>>> exclusif de ses destinataires. Il peut également être protégé par le secret
>>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>>> efforts soient faits pour maintenir cette transmission exempte de tout
>>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
>>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
>>> virus transmis.
>>>
>>> This e-mail and the documents attached are confidential and intended solely
>>> for the addressee; it may also be privileged. If you receive this e-mail in
>>> error, please notify the sender immediately and destroy it. As its integrity
>>> cannot be secured on the Internet, the Worldline liability cannot be
>>> triggered for the message content. Although the sender endeavours to
>>> maintain a computer virus-free network, the sender does not warrant that
>>> this transmission is virus-free and will not be liable for any damages
>>> resulting from any virus transmitted.
>>
>>
>>
>>
>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
>> exclusif de ses destinataires. Il peut également être protégé par le secret
>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
>> être recherchée quant au contenu de ce message. Bien que les meilleurs
>> efforts soient faits pour maintenir cette transmission exempte de tout virus,
>> l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne
>> saurait être recherchée pour tout dommage résultant d'un virus transmis.
>>
>> This e-mail and the documents attached are confidential and intended solely
>> for the addressee; it may also be privileged. If you receive this e-mail in
>> error, please notify the sender immediately and destroy it. As its integrity
>> cannot be secured on the Internet, the Worldline liability cannot be
>> triggered for the message content. Although the sender endeavours to maintain
>> a computer virus-free network, the sender does not warrant that this
>> transmission is virus-free and will not be liable for any damages resulting
>> from any virus transmitted.
>
>
>
> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
> exclusif de ses destinataires. Il peut également être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
> être recherchée quant au contenu de ce message. Bien que les meilleurs efforts
> soient faits pour maintenir cette transmission exempte de tout virus,
> l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne
> saurait être recherchée pour tout dommage résultant d'un virus transmis.
>
> This e-mail and the documents attached are confidential and intended solely
> for the addressee; it may also be privileged. If you receive this e-mail in
> error, please notify the sender immediately and destroy it. As its integrity
> cannot be secured on the Internet, the Worldline liability cannot be triggered
> for the message content. Although the sender endeavours to maintain a computer
> virus-free network, the sender does not warrant that this transmission is
> virus-free and will not be liable for any damages resulting from any virus
> transmitted.
RE: Troubles with HDFS policies
Posted by Chanel Loïc <lo...@worldline.com>.
Hi Bosco,
I just created an account on Confluence, my user ID is bartimeux.
Thanks,
Loïc
De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco Durai
Envoyé : vendredi 1 mai 2015 06:44
À : user@ranger.incubator.apache.org
Objet : Re: Troubles with HDFS policies
Hi Loïc
Thanks for the feedback.
I think, you are referring to the Hortonworks documentation.
We have a place holder in Apache Ranger Wiki site for user guide. We can start working on it. If you can give your confluence id, we can give you edit permission.
Thanks
Bosco
From: Chanel Loïc <lo...@worldline.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Thursday, April 30, 2015 at 1:32 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: RE: Troubles with HDFS policies
Hi,
Indeed, the page 10 of the Ranger User Guide specifies :
"Through configuration, Apache Ranger enables both Ranger policies and HDFS permissions to be checked for a user request. When the NameNode receives a user request, the Ranger plugin checks for policies set through the Ranger Policy Manager. If there are no policies, the Ranger plugin checks for permissions set in HDFS.
We recommend that permissions be created at the Ranger Policy Manager, and to have restrictive permissions at the HDFS level."
So setting very restrictive permissions with HDFS allows to manage entirely the cluster security with Ranger.
Still, as I noticed some small mistakes, do you know how I can contribute to the documentation improvement ?
Thanks for your help,
Loïc
De : Don Bosco Durai [mailto:bdurai@hortonworks.com] De la part de Don Bosco Durai
Envoyé : mercredi 29 avril 2015 17:45
À : user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>
Objet : Re: Troubles with HDFS policies
Check hdfs dfs -ls $folderName. In the case of HDFS, if Ranger doesn't find any permission in it's policy database, then it falls back to HDFS permission check. So make sure in the HDFS level, you have 700 or even 000 for the given folder and manage all the permissions via Ranger. We recommend pick all relevant folders (e.g Hive data warehouse folder) and do hdfs dfs -chown -R hdfs:hdfs $folderName and hdfs dfs -chmod 000 -R $folderName.
Please note, falling back to native permission is only available in HDFS. There is a switch to turn it off, but you have to be cautious when using it.
Thanks
Bosco
From: Chanel Loïc <lo...@worldline.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Wednesday, April 29, 2015 at 5:24 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Troubles with HDFS policies
Hi All,
As I am trying to set a Hadoop secured cluster with Ranger, I encountered some troubles.
The principal one consists in the fact that even if I have no rights to read, write or execute files in a directory, I still can execute a ls command (hdfs dfs -ls /testdir) showing me the files that I should not be able to read, or even see. I can even see the file contents by making a cat on these files (hdfs dfs -cat /testdir/testfile) that I should not be able to read, which is even more problematic to me.
In parallel, I am not able to put any files in the directory (Permission denied for hdfs dfs -put myotherfile /testdir/myotherfile), which makes me think the policies are correctly set.
Does that sound quite normal to you ? Do you see a solution to make sure my user toto cannot see what is in the repository of my user tata ?
Thanks for your help,
Loïc Chanel
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.