You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Qiang Zhang <zh...@zte.com.cn> on 2017/02/15 08:56:01 UTC
Review Request 56700: RANGER-1386:Can't disable hdfs plugin after
execute disable-hdfs-plugin.sh
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56700/
-----------------------------------------------------------
Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Bugs: RANGER-1386
https://issues.apache.org/jira/browse/RANGER-1386
Repository: ranger
Description
-------
steps:
1. Execute enable-hdfs-plugin.sh
2. Restart hadoop-hdfs, Authorization control enabled. We can set the rights for users in web UI.
3. Execute disable-hdfs-plugin.sh
4. Restart hadoop-hdfs, we can also set the rights for users in web UI.
I think after we disable the hdfs plugin, we shouldn't have the right to set the rights for users through ranger.
Diffs
-----
hdfs-agent/disable-conf/hdfs-site-changes.cfg PRE-CREATION
src/main/assembly/hdfs-agent.xml 63e426a
Diff: https://reviews.apache.org/r/56700/diff/
Testing
-------
Thanks,
Qiang Zhang
Re: Review Request 56700: RANGER-1386:Ranger hdfs-plugin function not
revoked after execute disable-hdfs-plugin.sh which cause hadoop-hdfs
authorization failed.
Posted by Qiang Zhang <zh...@zte.com.cn>.
> On \u4e09\u6708 9, 2017, 5:04 p.m., Colm O hEigeartaigh wrote:
> > This should be fixed for 0.7.1 as well IMO.
> > I think the changes to "dfs.permissions.enabled/dfs.permissions" also are not really necessary, just the authorizer change.
Yes,I agree with you.
I have tested this function and updated the patch.
Thanks!
- Qiang
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56700/#review168477
-----------------------------------------------------------
On \u4e09\u6708 10, 2017, 1:45 a.m., Qiang Zhang wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56700/
> -----------------------------------------------------------
>
> (Updated \u4e09\u6708 10, 2017, 1:45 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1386
> https://issues.apache.org/jira/browse/RANGER-1386
>
>
> Repository: ranger
>
>
> Description
> -------
>
> steps:
> 1.User yuwen does't has the permission to put a.txt in hdfs Catalog /test
> [yuwen@zdh41 bin]$ ./hdfs dfs -put /home/xiehh/a.txt /test
> put: Permission denied: user=yuwen, access=WRITE, inode="/test/a.txt._COPYING_":xiehh:supergroup:drwxr-xr-x
>
> 2.Execute enable-hdfs-plugin.sh and Restart hadoop-hdfs, ranger authorization control enabled.
> We add policy to give permission for user yuwen to put a file in web UI.
> [yuwen@zdh41 bin]$ ./hdfs dfs -put /home/xiehh/a.txt /test
> [yuwen@zdh41 bin]$ ./hdfs dfs -ls /test
> Found 1 items
> -rw-r--r-- 3 yuwen supergroup 15 2017-02-20 17:07 /test/a.txt
>
> 3. Execute disable-hdfs-plugin.sh and Restart hadoop-hdfs
> user yuwen shouldn't have the permission to put a file in Catalog /test
> but he also has the rights ,ranger hdfs-plugin function not revoked
> This is a serious problem which cause hadoop-hdfs authorization failed.
>
>
> Diffs
> -----
>
> hdfs-agent/disable-conf/hdfs-site-changes.cfg PRE-CREATION
> src/main/assembly/hdfs-agent.xml 63e426a
>
>
> Diff: https://reviews.apache.org/r/56700/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Qiang Zhang
>
>
Re: Review Request 56700: RANGER-1386:Ranger hdfs-plugin function not
revoked after execute disable-hdfs-plugin.sh which cause hadoop-hdfs
authorization failed.
Posted by Colm O hEigeartaigh <co...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56700/#review168477
-----------------------------------------------------------
This should be fixed for 0.7.1 as well IMO.
I think the changes to "dfs.permissions.enabled/dfs.permissions" also are not really necessary, just the authorizer change.
- Colm O hEigeartaigh
On Feb. 20, 2017, 9:06 a.m., Qiang Zhang wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56700/
> -----------------------------------------------------------
>
> (Updated Feb. 20, 2017, 9:06 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1386
> https://issues.apache.org/jira/browse/RANGER-1386
>
>
> Repository: ranger
>
>
> Description
> -------
>
> steps:
> 1.User yuwen does't has the permission to put a.txt in hdfs Catalog /test
> [yuwen@zdh41 bin]$ ./hdfs dfs -put /home/xiehh/a.txt /test
> put: Permission denied: user=yuwen, access=WRITE, inode="/test/a.txt._COPYING_":xiehh:supergroup:drwxr-xr-x
>
> 2.Execute enable-hdfs-plugin.sh and Restart hadoop-hdfs, ranger authorization control enabled.
> We add policy to give permission for user yuwen to put a file in web UI.
> [yuwen@zdh41 bin]$ ./hdfs dfs -put /home/xiehh/a.txt /test
> [yuwen@zdh41 bin]$ ./hdfs dfs -ls /test
> Found 1 items
> -rw-r--r-- 3 yuwen supergroup 15 2017-02-20 17:07 /test/a.txt
>
> 3. Execute disable-hdfs-plugin.sh and Restart hadoop-hdfs
> user yuwen shouldn't have the permission to put a file in Catalog /test
> but he also has the rights ,ranger hdfs-plugin function not revoked
> This is a serious problem which cause hadoop-hdfs authorization failed.
>
>
> Diffs
> -----
>
> hdfs-agent/disable-conf/hdfs-site-changes.cfg PRE-CREATION
> src/main/assembly/hdfs-agent.xml 63e426a
>
>
> Diff: https://reviews.apache.org/r/56700/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Qiang Zhang
>
>
Re: Review Request 56700: RANGER-1386:Ranger hdfs-plugin function not
revoked after execute disable-hdfs-plugin.sh which cause hadoop-hdfs
authorization failed.
Posted by Colm O hEigeartaigh <co...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56700/#review168616
-----------------------------------------------------------
Ship it!
Ship It!
- Colm O hEigeartaigh
On March 10, 2017, 1:45 a.m., Qiang Zhang wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56700/
> -----------------------------------------------------------
>
> (Updated March 10, 2017, 1:45 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1386
> https://issues.apache.org/jira/browse/RANGER-1386
>
>
> Repository: ranger
>
>
> Description
> -------
>
> steps:
> 1.User yuwen does't has the permission to put a.txt in hdfs Catalog /test
> [yuwen@zdh41 bin]$ ./hdfs dfs -put /home/xiehh/a.txt /test
> put: Permission denied: user=yuwen, access=WRITE, inode="/test/a.txt._COPYING_":xiehh:supergroup:drwxr-xr-x
>
> 2.Execute enable-hdfs-plugin.sh and Restart hadoop-hdfs, ranger authorization control enabled.
> We add policy to give permission for user yuwen to put a file in web UI.
> [yuwen@zdh41 bin]$ ./hdfs dfs -put /home/xiehh/a.txt /test
> [yuwen@zdh41 bin]$ ./hdfs dfs -ls /test
> Found 1 items
> -rw-r--r-- 3 yuwen supergroup 15 2017-02-20 17:07 /test/a.txt
>
> 3. Execute disable-hdfs-plugin.sh and Restart hadoop-hdfs
> user yuwen shouldn't have the permission to put a file in Catalog /test
> but he also has the rights ,ranger hdfs-plugin function not revoked
> This is a serious problem which cause hadoop-hdfs authorization failed.
>
>
> Diffs
> -----
>
> hdfs-agent/disable-conf/hdfs-site-changes.cfg PRE-CREATION
> src/main/assembly/hdfs-agent.xml 63e426a
>
>
> Diff: https://reviews.apache.org/r/56700/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Qiang Zhang
>
>
Re: Review Request 56700: RANGER-1386:Ranger hdfs-plugin function not
revoked after execute disable-hdfs-plugin.sh which cause hadoop-hdfs
authorization failed.
Posted by Qiang Zhang <zh...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56700/
-----------------------------------------------------------
(Updated \u4e09\u6708 10, 2017, 1:45 a.m.)
Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Bugs: RANGER-1386
https://issues.apache.org/jira/browse/RANGER-1386
Repository: ranger
Description
-------
steps:
1.User yuwen does't has the permission to put a.txt in hdfs Catalog /test
[yuwen@zdh41 bin]$ ./hdfs dfs -put /home/xiehh/a.txt /test
put: Permission denied: user=yuwen, access=WRITE, inode="/test/a.txt._COPYING_":xiehh:supergroup:drwxr-xr-x
2.Execute enable-hdfs-plugin.sh and Restart hadoop-hdfs, ranger authorization control enabled.
We add policy to give permission for user yuwen to put a file in web UI.
[yuwen@zdh41 bin]$ ./hdfs dfs -put /home/xiehh/a.txt /test
[yuwen@zdh41 bin]$ ./hdfs dfs -ls /test
Found 1 items
-rw-r--r-- 3 yuwen supergroup 15 2017-02-20 17:07 /test/a.txt
3. Execute disable-hdfs-plugin.sh and Restart hadoop-hdfs
user yuwen shouldn't have the permission to put a file in Catalog /test
but he also has the rights ,ranger hdfs-plugin function not revoked
This is a serious problem which cause hadoop-hdfs authorization failed.
Diffs (updated)
-----
hdfs-agent/disable-conf/hdfs-site-changes.cfg PRE-CREATION
src/main/assembly/hdfs-agent.xml 63e426a
Diff: https://reviews.apache.org/r/56700/diff/2/
Changes: https://reviews.apache.org/r/56700/diff/1-2/
Testing
-------
Thanks,
Qiang Zhang
Re: Review Request 56700: RANGER-1386:Ranger hdfs-plugin function not
revoked after execute disable-hdfs-plugin.sh which cause hadoop-hdfs
authorization failed.
Posted by Qiang Zhang <zh...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56700/
-----------------------------------------------------------
(Updated \u4e8c\u6708 20, 2017, 9:06 a.m.)
Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Summary (updated)
-----------------
RANGER-1386:Ranger hdfs-plugin function not revoked after execute disable-hdfs-plugin.sh which cause hadoop-hdfs authorization failed.
Bugs: RANGER-1386
https://issues.apache.org/jira/browse/RANGER-1386
Repository: ranger
Description (updated)
-------
steps:
1.User yuwen does't has the permission to put a.txt in hdfs Catalog /test
[yuwen@zdh41 bin]$ ./hdfs dfs -put /home/xiehh/a.txt /test
put: Permission denied: user=yuwen, access=WRITE, inode="/test/a.txt._COPYING_":xiehh:supergroup:drwxr-xr-x
2.Execute enable-hdfs-plugin.sh and Restart hadoop-hdfs, ranger authorization control enabled.
We add policy to give permission for user yuwen to put a file in web UI.
[yuwen@zdh41 bin]$ ./hdfs dfs -put /home/xiehh/a.txt /test
[yuwen@zdh41 bin]$ ./hdfs dfs -ls /test
Found 1 items
-rw-r--r-- 3 yuwen supergroup 15 2017-02-20 17:07 /test/a.txt
3. Execute disable-hdfs-plugin.sh and Restart hadoop-hdfs
user yuwen shouldn't have the permission to put a file in Catalog /test
but he also has the rights ,ranger hdfs-plugin function not revoked
This is a serious problem which cause hadoop-hdfs authorization failed.
Diffs
-----
hdfs-agent/disable-conf/hdfs-site-changes.cfg PRE-CREATION
src/main/assembly/hdfs-agent.xml 63e426a
Diff: https://reviews.apache.org/r/56700/diff/
Testing
-------
Thanks,
Qiang Zhang