You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Margus Roo <ma...@roo.ee> on 2015/12/17 13:20:26 UTC
HDFS-plugin does nothing
Hi
I am new Ranger user and perhaps I did something wrong.
Installed Ranger via Ambari. I can log into Ranger UI and all Unix local
users are synced and there is configuration under HDFS resource and test
connection gives OK.
I can see loads of hdfs@... records with 200 under audit plugins tab.
Now I am a little confused.
I can still do all operations with HDFS. Like there is no ranger hdfs
plugin activated.
in namenode I see:
authorize.ServiceAuthorizationManager
(ServiceAuthorizationManager.java:authorize(135)) - Authorization
successful for margusja (auth:SIMPLE) for protocol=interface
org.apache.hadoop.hdfs.protocol.ClientProtocol
But I do not have any rules for margusja in Ranger.
What I expect is that user margusja will get permission denied.
I use hdfs simple auth not kerberos. Is is possible use ranger
authorization without kerberos?
--
Margus (margusja) Roo
http://margus.roo.ee
skype: margusja
+372 51 48 780
Re: HDFS-plugin does nothing
Posted by Margus Roo <ma...@roo.ee>.
Thanks. Can you point out configuration or documentation where this is
more detailed described?
Br
Margus (margusja) Roo
http://margus.roo.ee
skype: margusja
+372 51 48 780
On 17/12/15 21:33, Don Bosco Durai wrote:
> Also, don’t forget to change your umask to 077 or 007.
>
> This email thread as lot of context:
> https://www.mail-archive.com/user@ranger.incubator.apache.org/msg00719.html
>
> Bosco
>
>
> From: Margus Roo <margus@roo.ee <ma...@roo.ee>>
> Reply-To: <user@ranger.incubator.apache.org
> <ma...@ranger.incubator.apache.org>>
> Date: Thursday, December 17, 2015 at 5:12 AM
> To: <user@ranger.incubator.apache.org
> <ma...@ranger.incubator.apache.org>>
> Subject: Re: HDFS-plugin does nothing
>
> Tnx - clear
>
> Margus (margusja) Roo
> http://margus.roo.ee
> skype: margusja
> +372 51 48 780
>
> On 17/12/15 15:07, Selvamohan Neethiraj wrote:
>> Please do NOT change permission to 000 for all files. You should
>> do it only to your own application folders and/or well-known folders.
>>
>> Thanks,
>> Selva-
>>
>>
>>> On Dec 17, 2015, at 7:56 AM, Margus Roo <ma...@roo.ee> wrote:
>>>
>>> Found solution. Basically helped hdfs dfs -chmod -R 000
>>> /user/margusja and now Ranger took over.
>>> So how to disable Hadoop HDFS built in authorization? Or I have
>>> to chmod -R 000 / ?
>>>
>>> Margus (margusja) Roo
>>> http://margus.roo.ee
>>> skype: margusja
>>> +372 51 48 780
>>> On 17/12/15 14:30, Margus Roo wrote:
>>>> Hi thanks for answer.
>>>>
>>>> At the moment margusja is in group margusja
>>>>
>>>> [margusja@hadoopnn2 ~]$ id margusja
>>>> uid=1016(margusja) gid=1016(margusja) groups=1016(margusja)
>>>>
>>>> Margus (margusja) Roo
>>>> http://margus.roo.ee
>>>> skype: margusja
>>>> +372 51 48 780
>>>> On 17/12/15 14:25, lukas nalezenec wrote:
>>>>> Hi,
>>>>> I solved this problem last week. I am also using SIMPLE auth.
>>>>> If you are solving the same problem then after removing user
>>>>> margusja from group hdfs it should work.
>>>>>
>>>>> Lukas
>>>>>
>>>>> 2015-12-17 13:20 GMT+01:00 Margus Roo <margus@roo.ee
>>>>> <ma...@roo.ee>>:
>>>>>
>>>>> Hi
>>>>>
>>>>> I am new Ranger user and perhaps I did something wrong.
>>>>>
>>>>> Installed Ranger via Ambari. I can log into Ranger UI and
>>>>> all Unix local users are synced and there is configuration
>>>>> under HDFS resource and test connection gives OK.
>>>>> I can see loads of hdfs@... records with 200 under audit
>>>>> plugins tab.
>>>>>
>>>>> Now I am a little confused.
>>>>>
>>>>> I can still do all operations with HDFS. Like there is no
>>>>> ranger hdfs plugin activated.
>>>>> in namenode I see:
>>>>> authorize.ServiceAuthorizationManager
>>>>> (ServiceAuthorizationManager.java:authorize(135)) -
>>>>> Authorization successful for margusja (auth:SIMPLE) for
>>>>> protocol=interface
>>>>> org.apache.hadoop.hdfs.protocol.ClientProtocol
>>>>>
>>>>> But I do not have any rules for margusja in Ranger.
>>>>> What I expect is that user margusja will get permission
>>>>> denied.
>>>>>
>>>>> I use hdfs simple auth not kerberos. Is is possible use
>>>>> ranger authorization without kerberos?
>>>>>
>>>>>
>>>>> --
>>>>> Margus (margusja) Roo
>>>>> http://margus.roo.ee <http://margus.roo.ee/>
>>>>> skype: margusja
>>>>> +372 51 48 780 <tel:%2B372%2051%2048%20780>
>>>>>
>>>>>
>>>>
>>>
>>
>
Re: HDFS-plugin does nothing
Posted by Don Bosco Durai <bo...@apache.org>.
Also, don’t forget to change your umask to 077 or 007.
This email thread as lot of context: https://www.mail-archive.com/user@ranger.incubator.apache.org/msg00719.html
Bosco
From: Margus Roo <ma...@roo.ee>
Reply-To: <us...@ranger.incubator.apache.org>
Date: Thursday, December 17, 2015 at 5:12 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: HDFS-plugin does nothing
Tnx - clear
Margus (margusja) Roo
http://margus.roo.ee
skype: margusja
+372 51 48 780
On 17/12/15 15:07, Selvamohan Neethiraj wrote:
Please do NOT change permission to 000 for all files. You should do it only to your own application folders and/or well-known folders.
Thanks,
Selva-
On Dec 17, 2015, at 7:56 AM, Margus Roo <ma...@roo.ee> wrote:
Found solution. Basically helped hdfs dfs -chmod -R 000 /user/margusja and now Ranger took over.
So how to disable Hadoop HDFS built in authorization? Or I have to chmod -R 000 / ?
Margus (margusja) Roo
http://margus.roo.ee
skype: margusja
+372 51 48 780
On 17/12/15 14:30, Margus Roo wrote:
Hi thanks for answer.
At the moment margusja is in group margusja
[margusja@hadoopnn2 ~]$ id margusja
uid=1016(margusja) gid=1016(margusja) groups=1016(margusja)
Margus (margusja) Roo
http://margus.roo.ee
skype: margusja
+372 51 48 780
On 17/12/15 14:25, lukas nalezenec wrote:
Hi,
I solved this problem last week. I am also using SIMPLE auth.
If you are solving the same problem then after removing user margusja from group hdfs it should work.
Lukas
2015-12-17 13:20 GMT+01:00 Margus Roo <ma...@roo.ee>:
Hi
I am new Ranger user and perhaps I did something wrong.
Installed Ranger via Ambari. I can log into Ranger UI and all Unix local users are synced and there is configuration under HDFS resource and test connection gives OK.
I can see loads of hdfs@... records with 200 under audit plugins tab.
Now I am a little confused.
I can still do all operations with HDFS. Like there is no ranger hdfs plugin activated.
in namenode I see:
authorize.ServiceAuthorizationManager (ServiceAuthorizationManager.java:authorize(135)) - Authorization successful for margusja (auth:SIMPLE) for protocol=interface org.apache.hadoop.hdfs.protocol.ClientProtocol
But I do not have any rules for margusja in Ranger.
What I expect is that user margusja will get permission denied.
I use hdfs simple auth not kerberos. Is is possible use ranger authorization without kerberos?
--
Margus (margusja) Roo
http://margus.roo.ee
skype: margusja
+372 51 48 780
Re: HDFS-plugin does nothing
Posted by Margus Roo <ma...@roo.ee>.
Tnx - clear
Margus (margusja) Roo
http://margus.roo.ee
skype: margusja
+372 51 48 780
On 17/12/15 15:07, Selvamohan Neethiraj wrote:
> Please do NOT change permission to 000 for all files. You should do it
> only to your own application folders and/or well-known folders.
>
> Thanks,
> Selva-
>
>
>> On Dec 17, 2015, at 7:56 AM, Margus Roo <margus@roo.ee
>> <ma...@roo.ee>> wrote:
>>
>> Found solution. Basically helped hdfs dfs -chmod -R 000
>> /user/margusja and now Ranger took over.
>> So how to disable Hadoop HDFS built in authorization? Or I have to
>> chmod -R 000 / ?
>>
>> Margus (margusja) Roo
>> http://margus.roo.ee
>> skype: margusja
>> +372 51 48 780
>> On 17/12/15 14:30, Margus Roo wrote:
>>> Hi thanks for answer.
>>>
>>> At the moment margusja is in group margusja
>>>
>>> [margusja@hadoopnn2 ~]$ id margusja
>>> uid=1016(margusja) gid=1016(margusja) groups=1016(margusja)
>>>
>>> Margus (margusja) Roo
>>> http://margus.roo.ee
>>> skype: margusja
>>> +372 51 48 780
>>> On 17/12/15 14:25, lukas nalezenec wrote:
>>>> Hi,
>>>> I solved this problem last week. I am also using SIMPLE auth.
>>>> If you are solving the same problem then after removing user
>>>> margusja from group hdfs it should work.
>>>>
>>>> Lukas
>>>>
>>>> 2015-12-17 13:20 GMT+01:00 Margus Roo <margus@roo.ee
>>>> <ma...@roo.ee>>:
>>>>
>>>> Hi
>>>>
>>>> I am new Ranger user and perhaps I did something wrong.
>>>>
>>>> Installed Ranger via Ambari. I can log into Ranger UI and all
>>>> Unix local users are synced and there is configuration under
>>>> HDFS resource and test connection gives OK.
>>>> I can see loads of hdfs@... records with 200 under audit
>>>> plugins tab.
>>>>
>>>> Now I am a little confused.
>>>>
>>>> I can still do all operations with HDFS. Like there is no
>>>> ranger hdfs plugin activated.
>>>> in namenode I see:
>>>> authorize.ServiceAuthorizationManager
>>>> (ServiceAuthorizationManager.java:authorize(135)) -
>>>> Authorization successful for margusja (auth:SIMPLE) for
>>>> protocol=interface org.apache.hadoop.hdfs.protocol.ClientProtocol
>>>>
>>>> But I do not have any rules for margusja in Ranger.
>>>> What I expect is that user margusja will get permission denied.
>>>>
>>>> I use hdfs simple auth not kerberos. Is is possible use ranger
>>>> authorization without kerberos?
>>>>
>>>>
>>>> --
>>>> Margus (margusja) Roo
>>>> http://margus.roo.ee <http://margus.roo.ee/>
>>>> skype: margusja
>>>> +372 51 48 780 <tel:%2B372%2051%2048%20780>
>>>>
>>>>
>>>
>>
>
Re: HDFS-plugin does nothing
Posted by Selvamohan Neethiraj <sn...@hortonworks.com>.
Please do NOT change permission to 000 for all files. You should do it only to your own application folders and/or well-known folders.
Thanks,
Selva-
On Dec 17, 2015, at 7:56 AM, Margus Roo <ma...@roo.ee>> wrote:
Found solution. Basically helped hdfs dfs -chmod -R 000 /user/margusja and now Ranger took over.
So how to disable Hadoop HDFS built in authorization? Or I have to chmod -R 000 / ?
Margus (margusja) Roo
http://margus.roo.ee<http://margus.roo.ee/>
skype: margusja
+372 51 48 780
On 17/12/15 14:30, Margus Roo wrote:
Hi thanks for answer.
At the moment margusja is in group margusja
[margusja@hadoopnn2 ~]$ id margusja
uid=1016(margusja) gid=1016(margusja) groups=1016(margusja)
Margus (margusja) Roo
http://margus.roo.ee<http://margus.roo.ee/>
skype: margusja
+372 51 48 780
On 17/12/15 14:25, lukas nalezenec wrote:
Hi,
I solved this problem last week. I am also using SIMPLE auth.
If you are solving the same problem then after removing user margusja from group hdfs it should work.
Lukas
2015-12-17 13:20 GMT+01:00 Margus Roo <ma...@roo.ee>>:
Hi
I am new Ranger user and perhaps I did something wrong.
Installed Ranger via Ambari. I can log into Ranger UI and all Unix local users are synced and there is configuration under HDFS resource and test connection gives OK.
I can see loads of hdfs@... records with 200 under audit plugins tab.
Now I am a little confused.
I can still do all operations with HDFS. Like there is no ranger hdfs plugin activated.
in namenode I see:
authorize.ServiceAuthorizationManager (ServiceAuthorizationManager.java:authorize(135)) - Authorization successful for margusja (auth:SIMPLE) for protocol=interface org.apache.hadoop.hdfs.protocol.ClientProtocol
But I do not have any rules for margusja in Ranger.
What I expect is that user margusja will get permission denied.
I use hdfs simple auth not kerberos. Is is possible use ranger authorization without kerberos?
--
Margus (margusja) Roo
http://margus.roo.ee<http://margus.roo.ee/>
skype: margusja
+372 51 48 780<tel:%2B372%2051%2048%20780>
Re: HDFS-plugin does nothing
Posted by Margus Roo <ma...@roo.ee>.
Found solution. Basically helped hdfs dfs -chmod -R 000 /user/margusja
and now Ranger took over.
So how to disable Hadoop HDFS built in authorization? Or I have to chmod
-R 000 / ?
Margus (margusja) Roo
http://margus.roo.ee
skype: margusja
+372 51 48 780
On 17/12/15 14:30, Margus Roo wrote:
> Hi thanks for answer.
>
> At the moment margusja is in group margusja
>
> [margusja@hadoopnn2 ~]$ id margusja
> uid=1016(margusja) gid=1016(margusja) groups=1016(margusja)
>
> Margus (margusja) Roo
> http://margus.roo.ee
> skype: margusja
> +372 51 48 780
> On 17/12/15 14:25, lukas nalezenec wrote:
>> Hi,
>> I solved this problem last week. I am also using SIMPLE auth.
>> If you are solving the same problem then after removing user margusja
>> from group hdfs it should work.
>>
>> Lukas
>>
>> 2015-12-17 13:20 GMT+01:00 Margus Roo <margus@roo.ee
>> <ma...@roo.ee>>:
>>
>> Hi
>>
>> I am new Ranger user and perhaps I did something wrong.
>>
>> Installed Ranger via Ambari. I can log into Ranger UI and all
>> Unix local users are synced and there is configuration under HDFS
>> resource and test connection gives OK.
>> I can see loads of hdfs@... records with 200 under audit plugins tab.
>>
>> Now I am a little confused.
>>
>> I can still do all operations with HDFS. Like there is no ranger
>> hdfs plugin activated.
>> in namenode I see:
>> authorize.ServiceAuthorizationManager
>> (ServiceAuthorizationManager.java:authorize(135)) - Authorization
>> successful for margusja (auth:SIMPLE) for protocol=interface
>> org.apache.hadoop.hdfs.protocol.ClientProtocol
>>
>> But I do not have any rules for margusja in Ranger.
>> What I expect is that user margusja will get permission denied.
>>
>> I use hdfs simple auth not kerberos. Is is possible use ranger
>> authorization without kerberos?
>>
>>
>> --
>> Margus (margusja) Roo
>> http://margus.roo.ee
>> skype: margusja
>> +372 51 48 780 <tel:%2B372%2051%2048%20780>
>>
>>
>
Re: HDFS-plugin does nothing
Posted by Margus Roo <ma...@roo.ee>.
Hi thanks for answer.
At the moment margusja is in group margusja
[margusja@hadoopnn2 ~]$ id margusja
uid=1016(margusja) gid=1016(margusja) groups=1016(margusja)
Margus (margusja) Roo
http://margus.roo.ee
skype: margusja
+372 51 48 780
On 17/12/15 14:25, lukas nalezenec wrote:
> Hi,
> I solved this problem last week. I am also using SIMPLE auth.
> If you are solving the same problem then after removing user margusja
> from group hdfs it should work.
>
> Lukas
>
> 2015-12-17 13:20 GMT+01:00 Margus Roo <margus@roo.ee
> <ma...@roo.ee>>:
>
> Hi
>
> I am new Ranger user and perhaps I did something wrong.
>
> Installed Ranger via Ambari. I can log into Ranger UI and all Unix
> local users are synced and there is configuration under HDFS
> resource and test connection gives OK.
> I can see loads of hdfs@... records with 200 under audit plugins tab.
>
> Now I am a little confused.
>
> I can still do all operations with HDFS. Like there is no ranger
> hdfs plugin activated.
> in namenode I see:
> authorize.ServiceAuthorizationManager
> (ServiceAuthorizationManager.java:authorize(135)) - Authorization
> successful for margusja (auth:SIMPLE) for protocol=interface
> org.apache.hadoop.hdfs.protocol.ClientProtocol
>
> But I do not have any rules for margusja in Ranger.
> What I expect is that user margusja will get permission denied.
>
> I use hdfs simple auth not kerberos. Is is possible use ranger
> authorization without kerberos?
>
>
> --
> Margus (margusja) Roo
> http://margus.roo.ee
> skype: margusja
> +372 51 48 780 <tel:%2B372%2051%2048%20780>
>
>
Re: HDFS-plugin does nothing
Posted by lukas nalezenec <lu...@gmail.com>.
Hi,
I solved this problem last week. I am also using SIMPLE auth.
If you are solving the same problem then after removing user margusja from
group hdfs it should work.
Lukas
2015-12-17 13:20 GMT+01:00 Margus Roo <ma...@roo.ee>:
> Hi
>
> I am new Ranger user and perhaps I did something wrong.
>
> Installed Ranger via Ambari. I can log into Ranger UI and all Unix local
> users are synced and there is configuration under HDFS resource and test
> connection gives OK.
> I can see loads of hdfs@... records with 200 under audit plugins tab.
>
> Now I am a little confused.
>
> I can still do all operations with HDFS. Like there is no ranger hdfs
> plugin activated.
> in namenode I see:
> authorize.ServiceAuthorizationManager
> (ServiceAuthorizationManager.java:authorize(135)) - Authorization
> successful for margusja (auth:SIMPLE) for protocol=interface
> org.apache.hadoop.hdfs.protocol.ClientProtocol
>
> But I do not have any rules for margusja in Ranger.
> What I expect is that user margusja will get permission denied.
>
> I use hdfs simple auth not kerberos. Is is possible use ranger
> authorization without kerberos?
>
>
> --
> Margus (margusja) Roo
> http://margus.roo.ee
> skype: margusja
> +372 51 48 780
>
>
Re: HDFS-plugin does nothing
Posted by Margus Roo <ma...@roo.ee>.
This is my policy cache
{
"serviceName": "Arendus_hadoop",
"serviceId": 5,
"policyVersion": 11,
"policyUpdateTime": "20151217-12:39:59.171-+0200",
"policies": [
{
"service": "Arendus_hadoop",
"name": "Arendus_hadoop-1-20151216202525",
"description": "Default Policy for Service: Arendus_hadoop",
"resourceSignature": "6f956063401eda656f1eae8870c1afac",
"isAuditEnabled": true,
"resources": {
"path": {
"values": [
"/*"
],
"isExcludes": false,
"isRecursive": true
}
},
"policyItems": [
{
"accesses": [
{
"type": "read",
"isAllowed": true
},
{
"type": "write",
"isAllowed": true
},
{
"type": "execute",
"isAllowed": true
}
],
"users": [
"ambari-qa"
],
"groups": [],
"conditions": [],
"delegateAdmin": true
}
],
"id": 7,
"guid": "1450297525844_383_397",
"isEnabled": true,
"createdBy": "Admin",
"updatedBy": "Admin",
"createTime": "20151216-20:25:25.551-+0200",
"updateTime": "20151217-10:39:59.148-+0200",
"version": 11
}
],
"serviceDef": {
"name": "hdfs",
"implClass": "org.apache.ranger.services.hdfs.RangerServiceHdfs",
"label": "HDFS Repository",
"description": "HDFS Repository",
"configs": [
{
"itemId": 1,
"name": "username",
"type": "string",
"subType": "",
"mandatory": true,
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Username"
},
{
"itemId": 2,
"name": "password",
"type": "password",
"subType": "",
"mandatory": true,
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Password"
},
{
"itemId": 3,
"name": "fs.default.name",
"type": "string",
"subType": "",
"mandatory": true,
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Namenode URL"
},
{
"itemId": 4,
"name": "hadoop.security.authorization",
"type": "bool",
"subType": "YesTrue:NoFalse",
"mandatory": true,
"defaultValue": "false",
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Authorization Enabled"
},
{
"itemId": 5,
"name": "hadoop.security.authentication",
"type": "enum",
"subType": "authnType",
"mandatory": true,
"defaultValue": "simple",
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Authentication Type"
},
{
"itemId": 6,
"name": "hadoop.security.auth_to_local",
"type": "string",
"subType": "",
"mandatory": false,
"validationRegEx": "",
"validationMessage": "",
"uiHint": ""
},
{
"itemId": 7,
"name": "dfs.datanode.kerberos.principal",
"type": "string",
"subType": "",
"mandatory": false,
"validationRegEx": "",
"validationMessage": "",
"uiHint": ""
},
{
"itemId": 8,
"name": "dfs.namenode.kerberos.principal",
"type": "string",
"subType": "",
"mandatory": false,
"validationRegEx": "",
"validationMessage": "",
"uiHint": ""
},
{
"itemId": 9,
"name": "dfs.secondary.namenode.kerberos.principal",
"type": "string",
"subType": "",
"mandatory": false,
"validationRegEx": "",
"validationMessage": "",
"uiHint": ""
},
{
"itemId": 10,
"name": "hadoop.rpc.protection",
"type": "enum",
"subType": "rpcProtection",
"mandatory": false,
"defaultValue": "authentication",
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "RPC Protection Type"
},
{
"itemId": 11,
"name": "commonNameForCertificate",
"type": "string",
"subType": "",
"mandatory": false,
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Common Name for Certificate"
}
],
"resources": [
{
"itemId": 1,
"name": "path",
"type": "path",
"level": 10,
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": true,
"excludesSupported": false,
"matcher":
"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
"matcherOptions": {
"wildCard": "true",
"ignoreCase": "false"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Resource Path",
"description": "HDFS file or directory path"
}
],
"accessTypes": [
{
"itemId": 1,
"name": "read",
"label": "Read",
"impliedGrants": []
},
{
"itemId": 2,
"name": "write",
"label": "Write",
"impliedGrants": []
},
{
"itemId": 3,
"name": "execute",
"label": "Execute",
"impliedGrants": []
}
],
"policyConditions": [],
"contextEnrichers": [],
"enums": [
{
"itemId": 1,
"name": "authnType",
"elements": [
{
"itemId": 1,
"name": "simple",
"label": "Simple"
},
{
"itemId": 2,
"name": "kerberos",
"label": "Kerberos"
}
],
"defaultIndex": 0
},
{
"itemId": 2,
"name": "rpcProtection",
"elements": [
{
"itemId": 1,
"name": "authentication",
"label": "Authentication"
},
{
"itemId": 2,
"name": "integrity",
"label": "Integrity"
},
{
"itemId": 3,
"name": "privacy",
"label": "Privacy"
}
],
"defaultIndex": 0
}
],
"id": 1,
"guid": "0d047247-bafe-4cf8-8e9b-d5d377284b2d",
"isEnabled": true,
"createTime": "20151216-13:23:40.132-+0200",
"updateTime": "20151216-13:23:40.138-+0200",
"version": 1
}
}
Margus (margusja) Roo
http://margus.roo.ee
skype: margusja
+372 51 48 780
On 17/12/15 14:20, Margus Roo wrote:
> Hi
>
> I am new Ranger user and perhaps I did something wrong.
>
> Installed Ranger via Ambari. I can log into Ranger UI and all Unix
> local users are synced and there is configuration under HDFS resource
> and test connection gives OK.
> I can see loads of hdfs@... records with 200 under audit plugins tab.
>
> Now I am a little confused.
>
> I can still do all operations with HDFS. Like there is no ranger hdfs
> plugin activated.
> in namenode I see:
> authorize.ServiceAuthorizationManager
> (ServiceAuthorizationManager.java:authorize(135)) - Authorization
> successful for margusja (auth:SIMPLE) for protocol=interface
> org.apache.hadoop.hdfs.protocol.ClientProtocol
>
> But I do not have any rules for margusja in Ranger.
> What I expect is that user margusja will get permission denied.
>
> I use hdfs simple auth not kerberos. Is is possible use ranger
> authorization without kerberos?
>
>