ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tanping Wang <tanpi...@gmail.com>
Subject Re: Does Ranger Restrict Any Permissoin
Date Wed, 01 Jul 2015 21:22:31 GMT
Hi, Boston,
Thanks for the reply!

The purpose of Ranger is to manage security policy in one place.  I would
agree with you that I want to mange the entire HDFS ACL at one place, for
example.  If this is the case, I would restrict any file permission to a
user, John on HDFS, and grant any permission is needed for John on Ranger
only.  But this brings at least two problems:

In case of creating new directories, admin has to go to HDFS to create any
new directory and revoke any permission to any user.  Secondly admin would
need to go to Ranger to open up file/directory permissions one by one.
HDFS also has its own ACL, this feels very confusing to some one who is
used to manage HDFS ACL, doesn't it?

Also users will have to go to Ranger UI in order to view what permission
that s/he has.  In the mean while, the user will be able to see any other
permissions granted to any other users?   (I believe Ranger UI does not
have a way to restrict a person to view his own permission only at this
moment?)  This introduces a privacy/security concern.

Is this any good explanation or recommendation to address these?

Regards,
Tanping

On Wed, Jul 1, 2015 at 6:17 AM, Don Bosco Durai <bosco@apache.org> wrote:

> Tanping
>
> Current Ranger permission model is permissive, which means by default
> there are no permissions. However, if you give one, then you can¹t take
> back.
>
> This model simplifies the management of the policies. However, if you want
> to revoke permissions for certain user, then it becomes difficult.
>
> In your use case, we recommend that you manage HDFS permissions only from
> Ranger. You should do ³hdfs dfs -chmod -R 0000 /usr/hive² and then give
> explicit permissions to users from Ranger.
>
> If you are using HiveServer2, then we recommend to configure HS2 with
> ³doAs=false². In this case, you just need to give permission to user
> ³hive² in the HDFS level and manage all the table/column permissions at
> the Hive level using Ranger. In this case, you can also give more granular
> permissions up to column level.
>
> If you feel revoke will be useful for you, then can you create a JIRA. In
> the next release we can come up with a simplified version of revoke.
>
> Thanks
>
> Bosco
>
>
> On 7/1/15, 12:57 PM, "Tanping Wang" <tanpingw@gmail.com> wrote:
>
> >Hi, all,
> >My understanding of Ranger is that Ranger would open up/relax the file
> >permission inherited from Unix.  Can Ranger restrict/remove the
> >permissions
> >for a user?  For example, if a user, John does have permission to
> >/usr/hive.  Can Ranger revoke the permission?
> >Regards,
> >tanping
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message