You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Kaliyug Antagonist <ka...@gmail.com> on 2016/06/28 13:36:02 UTC

HDFS Policy 'resource path' with placeholder - is there some way ?

I am trying to understand and practice Ranger configurations on the local
HDP 2.4 sandbox.

The *objective *is that when the users(existing in some LDAP group) log-in
and try to access HDFS, they should be able to access only their 'home
directory' and others like tmp.I did the following :

   - Create a 'home directory' and for the users as well, note, the owner
   is still hdfs !. Suggestions welcome here e.g: Is this new /userhome dir.
   desirable or shall I use the existing /user directory ?


   1. [hdfs@sandbox root]$ hdfs dfs -ls /userhome
   2. Found 2 items
   3. drwxr-xr-x   - hdfs hdfs          0 2016-06-27 14:24 /userhome/HBRDMV
   4. drwxr-xr-x   - hdfs hdfs          0 2016-06-27 14:55 /userhome/ojoqcu


   - Disabled the default HDFS policy and created two new. The
   'HadoopEcosystem' to ensure that the Hadoop users can execute their
   operations smoothly e.g the Hive CLI can be started by Hive user and used
   without access issues


   - In the 'RestrictiveHDFS' policy, I intend to achieve the *objective*.
   I have provided the 'Resource Path' accordingly


   - I think it works, can anyone point out what I have missed to verify ?


   1. [ojoqcu@sandbox ~]$ hdfs dfs -ls /userhome/HBRDMV
   2. ls: Permission denied: user=ojoqcu, access=EXECUTE,
inode="/userhome/HBRDMV":hdfs:hdfs:drwxr-x---
   3.
   4.
   5. [ojoqcu@sandbox ~]$ hdfs dfs -mkdir /userhome/ojoqcu/code
   6.
   7.
   8. [ojoqcu@sandbox ~]$[ojoqcu@sandbox ~]$ hdfs dfs -ls /userhome/ojoqcu
   9. Found 1 item drwxr-xr-x   - ojoqcu hdfs          0 2016-06-28
11:33 /userhome/ojoqcu/code
   10.
   11.
   12. [ojoqcu@sandbox ~]$ hdfs dfs -ls /userhome/
   13. ls: Permission denied: user=ojoqcu, access=EXECUTE,
inode="/userhome":hdfs:hdfs:drwxr-x---

Now, there may be aplenty users who will have their own directories under
/userhome but only the single policy 'RestrictiveHDFS' would suffice,
however, the 'Resource Path' doesn't provide a way to specify something
like /userhome/{user} where {user} can be any of the from the 'Select User'
list under 'User and Group Permissions'. How can I achieve this ?