You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Abhay Kulkarni (Jira)" <ji...@apache.org> on 2021/07/12 19:39:00 UTC

[jira] [Created] (RANGER-3337) Ranger policy not taking effect with HDFS Snapshots

Abhay Kulkarni created RANGER-3337:
--------------------------------------

             Summary: Ranger policy not taking effect with HDFS Snapshots
                 Key: RANGER-3337
                 URL: https://issues.apache.org/jira/browse/RANGER-3337
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
            Reporter: Abhay Kulkarni
            Assignee: Abhay Kulkarni


Steps to reproduce the issue:

Step 1
======
Create a new HDFS policy in Ranger.

Policy Details:
 - Policy Name: testcase
 - Resource Path: /testcase

Allow Conditions:
 - Select User: testuser
 - Enabled: yes
 - Recursive: yes
 - Audit Logging: yes
 - Permissions: Read, Write, Execute

Make a note of the Policy ID of the new policy. In my case, it was Policy ID 1976.

Note that "testuser" should be a non-privileged account. On my cluster I'm using "testuser", but you may choose something different.

Step 2
======
Run the following commands whilst authenticated as the "hdfs" superuser:

$ hdfs dfs -mkdir -p /testcase/dir1
$ hdfs dfsadmin -allowSnapshot /testcase
$ hdfs dfs -createSnapshot /testcase s1

Step 3
======
Run the following commands whilst authenticated as the "testuser" user:

$ hdfs dfs -ls /testcase
$ hdfs dfs -ls /testcase/dir1
$ hdfs dfs -ls /testcase/.snapshot/s1

NOTE: you might get a permission denied error when you run "hdfs dfs -ls /testcase/.snapshot/s1". For the purposes of this test case, it does not matter whether the command succeeds

Step 4
======
Review the Ranger audit log for the 3 commands you just ran to notice the following:
 - The policy id in first command (hdfs dfs -ls /testcase) is the policy id of the policy created in step 1, e.g. 1976
 - The policy id in second command (hdfs dfs -ls /testcase/dir1) is the policy id for the policy created in step 1, e.g. 1976
 - The policy id in the third command (hdfs dfs -ls /testcase/.snapshot/s1) is "-1", e.g. Ranger did not find a matching policy

Therefore, Ranger HDFS policy is not evaluated for HDFS snapshots.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)