ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bo...@apache.org>
Subject Re: Does Ranger Restrict Any Permissoin
Date Thu, 02 Jul 2015 23:59:38 GMT
Tanping,

The main point is how you want to manage your permissions. HDFS by default
uses posix model, which forces it to provide ACLs at each file level. You
can use umask to make it easier for you, but if you change the parent
folder permission, you need to change recursively for sub-folders and
files.

What we have seen is, most deployments manage their permissions at high
levels only. E.g. In Hive, you will have a folder for database, sub-folder
for tables, within that for partitions. So regardless how many partitions
and files you might have, it makes sense to give permission only at the
table folder level. So in Ranger, you just need to create one policy with
recursive ON for the table folder. If there are multiple tables with
similar permission sets, then you club them into one policy itself. This
makes it easy for management. Also, in Ranger you can create the policy
before the resource is created, which makes it more scalable.

This is a mind-set change for those who have been using posix model or
want it to behave as regular file system. But HDFS is used in many
different ways. E.g. Hbase manages it’s own folders/files. Hive gives both
options. 

There are no right or wrong way of doing it. If you are comfortable with
posix, then you can continue using chmod/setAcl. And Ranger can help you
in Auditing. Or you can do hybrid, which might be confusing for some, but
gives you more flexibility. You can use Ranger exclusively for HDFS, but
we have seen that some tools like Apache Falcon still use chmod/chown on
newly created folders and files, which can cause issues.

Since Ranger provides REST APIs to manage the policies, high level
tools/apps should use REST APIs to manage the policies.

>Also users will have to go to Ranger UI in order to view what permission
>that s/he has. 

This is an issue. From command line, it is not possible to see the Rangers
permission on the folder/file. We could overwrite the hdfs API to give the
permissions from Ranger along with the HDFS local permissions. This is
something we can work with the HDFS community. Ranger could also give an
command line interface, but we have to evaluate the merits for this.

>In the mean while, the user will be able to see any other
permissions granted to any other users?   (I believe Ranger UI does not
have a way to restrict a person to view his own permission only at this
moment?)  This introduces a privacy/security concern.

Ranger UI is access controlled. You can see the permissions for the
resources you have delegated admin privileges.

Ranger doesn’t have the concept of “owner”. This helps us to make it more
enterprise friendly, because it doesn’t make a lot of sense in an
enterprise to have an user to be an owner of a table. I know RDBMS follows
“owner” model. But if the user leaves the company, what happens? So
instead of owner, Ranger uses the concept of “delegated admin”, where you
can assigns users/groups to manage the resource. And since every policy
change is audited, there is accountability and traceability.

Separation of duty (compliance) is another place you may not want owner to
have read access by default. E.g. The DBA might have permission to
create/alter the table, but s/he might not have permission to do select on
it.

Since ordinary user can’t see the permissions, there are no
privacy/security concerns. But I feel, we should provide someway for the
user to know what permissions s/he has. If you have some suggestions, we
can discuss it.

Thanks

Bosco





On 7/2/15, 2:42 PM, "Balaji Ganesan" <balaji.ganesan03@gmail.com> wrote:

>I am not sure I understand fully the concern here. Business users usually
>do not go into Ranger UI and manage their permissions, the permissions are
>typically manages by a security or a Hadoop administrator. Business users
>usually request what permission they need and the administrators set it
>up.
>After that, it is transparent to them on how the policies are setup in
>Ranger.
>
>You can express HDFS policy using wildcards or include multiple
>directories
>or files in the same policy. That is the benefit of using Ranger vs HDFS
>ACL where you would need to manage permissions at directory or file level.
>
>Admins can pre-create policies in Ranger and then create directories or
>files in HDFS.
>
>On Thu, Jul 2, 2015 at 2:52 AM, Tanping Wang <tanpingw@gmail.com> wrote:
>
>> Hi, Boston,
>> Thanks for the reply!
>>
>> The purpose of Ranger is to manage security policy in one place.  I
>>would
>> agree with you that I want to mange the entire HDFS ACL at one place,
>>for
>> example.  If this is the case, I would restrict any file permission to a
>> user, John on HDFS, and grant any permission is needed for John on
>>Ranger
>> only.  But this brings at least two problems:
>>
>> In case of creating new directories, admin has to go to HDFS to create
>>any
>> new directory and revoke any permission to any user.  Secondly admin
>>would
>> need to go to Ranger to open up file/directory permissions one by one.
>> HDFS also has its own ACL, this feels very confusing to some one who is
>> used to manage HDFS ACL, doesn't it?
>>
>> Also users will have to go to Ranger UI in order to view what permission
>> that s/he has.  In the mean while, the user will be able to see any
>>other
>> permissions granted to any other users?   (I believe Ranger UI does not
>> have a way to restrict a person to view his own permission only at this
>> moment?)  This introduces a privacy/security concern.
>>
>> Is this any good explanation or recommendation to address these?
>>
>> Regards,
>> Tanping
>>
>> On Wed, Jul 1, 2015 at 6:17 AM, Don Bosco Durai <bosco@apache.org>
>>wrote:
>>
>> > Tanping
>> >
>> > Current Ranger permission model is permissive, which means by default
>> > there are no permissions. However, if you give one, then you can¹t
>>take
>> > back.
>> >
>> > This model simplifies the management of the policies. However, if you
>> want
>> > to revoke permissions for certain user, then it becomes difficult.
>> >
>> > In your use case, we recommend that you manage HDFS permissions only
>>from
>> > Ranger. You should do ³hdfs dfs -chmod -R 0000 /usr/hive² and then
>>give
>> > explicit permissions to users from Ranger.
>> >
>> > If you are using HiveServer2, then we recommend to configure HS2 with
>> > ³doAs=false². In this case, you just need to give permission to user
>> > ³hive² in the HDFS level and manage all the table/column permissions
>>at
>> > the Hive level using Ranger. In this case, you can also give more
>> granular
>> > permissions up to column level.
>> >
>> > If you feel revoke will be useful for you, then can you create a
>>JIRA. In
>> > the next release we can come up with a simplified version of revoke.
>> >
>> > Thanks
>> >
>> > Bosco
>> >
>> >
>> > On 7/1/15, 12:57 PM, "Tanping Wang" <tanpingw@gmail.com> wrote:
>> >
>> > >Hi, all,
>> > >My understanding of Ranger is that Ranger would open up/relax the
>>file
>> > >permission inherited from Unix.  Can Ranger restrict/remove the
>> > >permissions
>> > >for a user?  For example, if a user, John does have permission to
>> > >/usr/hive.  Can Ranger revoke the permission?
>> > >Regards,
>> > >tanping
>> >
>> >
>> >
>>



Mime
View raw message