Re: About group and policy

[Don Bosco Durai <bo...@apache.org>]

> But I don't want to create user and group in the linux of each hive
>client. Can you tell me how to use “hadoop groups $user”
Users and groups are interpreted by HDFS, Hive and all Hadoop components.
So you need to have user to group mappings either in linux or in LDAP/AD.
If I am not wrong, Hadoop also support groups from flat file. You can
investigate that option also.
Can you also let me know where your current user to groups are?


>2. Some times we want to use two or more hiveserver2 client which have
>the same permissions, but I can't create the same policy in two HIVE
>Repositorys. I need One Policy control two HIVE Repositorys. or I can
>copy the policy from one repository to another.

You have two options:
1. You can export the policy from RangerAdmin and import to another one.
2. If both the HiveServers will have identical policies, then you should
be able to point them to the same repo in the Ranger side. If you want the
Audit to be separated, then you should send the audits to different
databases. You still have to standup another RangerAdmin only the audits.
This is sort of a work around, but saves you effort of copying policies.


>3. Why ranger use role to control the permission of user , I think you
>know that "apache sentry" have the same purpose like ranger , it use role
>to control the users' permission. I need a good way to manage users'
>permission when I have thirty users or more
I think, it is not about roles, but how you are going to manage your users
for authentication and groups. Once you have 30+ users and have multiple
applications your enterprise, then you would like to have AD or LDAP to
manage them. Once you have AD/LDAP, then you create groups/role in AD/LDAP
and map them in Hadoop and use it to give permissions. This makes your
management very simple. Even if you don’t have central AD/LDAP, you can
still setup a standalone LDAP in your Hadoop and create groups in it. Let
me know if you need any help setting LDAP with memberOf. If you are using
AD, then groups are inbuilt and it can also serve as your KDC.

I hope this answers your question. Feel free to ask more if you need
clarification.

Thanks

Bosco




On 3/26/15, 2:45 AM, "黄健" <hu...@jd.com> wrote:

>Hi，Bosco
>     Last time  you said that :
>The groups should work. The best what to test it to do “hadoop groups
>$user”
>and see what is returning. And use the same groups in the policy.
>
>1. I found that ,only when I use the command "groupadd","useradd" to
>create user and group in the linux of hive client, the ranger's group
>worked,But I don't want to create user and group in the linux of each
>hive client. Can you tell me how to use “hadoop groups $user”
>
>2. Some times we want to use two or more hiveserver2 client which have
>the same permissions, but I can't create the same policy in two HIVE
>Repositorys. I need One Policy control two HIVE Repositorys. or I can
>copy the policy from one repository to another.
>
>3. Why ranger use role to control the permission of user , I think you
>know that "apache sentry" have the same purpose like ranger , it use role
>to control the users' permission. I need a good way to manage users'
>permission when I have thirty users or more
>
>Thanks!
>________________________________
>Yours sincerely, Jian Huang
>Beijing China