ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Madhan Neethiraj (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-357) Update Ranger HDFS plugin to use HDFS Authorization API
Date Mon, 14 Mar 2016 21:33:33 GMT

    [ https://issues.apache.org/jira/browse/RANGER-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15194186#comment-15194186
] 

Madhan Neethiraj commented on RANGER-357:
-----------------------------------------

Ranger HDFS plugin update to use the HDFS authorization API results in few changes in Ranger
authorization of access to HDFS files/directories. These changes are detailed below.

Before looking at the change details, lets take a look at few details of HDFS native authorization.
For an user to access a HDFS file/directory, HDFS native authorization requires the user to
have EXECUTE access on all ancestor directories and appropriate accesses on the target file/directory
and its parent directory, as shown in the following examples:

{noformat}
 --------------------------------------------
| Command       | Target | Parent | Ancestors |
|---------------------------------------------|
| mkdir         |   -    |   WX   |     X     |     
|---------------------------------------------|
| rmdir         |   RX   |   WX   |     X     |     
|---------------------------------------------|
| copyFromLocal |   -    |   WX   |     X     |     
|---------------------------------------------|
| rm            |   -    |   WX   |     X     |     
|---------------------------------------------|
| cat           |   R    |    X   |     X     |     
|---------------------------------------------|
| appendToFile  |   W    |    X   |     X     |     
|---------------------------------------------|
| ls            |   RX    |   X   |     X     |     
 --------------------------------------------
{noformat}

Now to the details of the changes in Ranger authorization since integration with HDFS pluggable
authorization API:
 - Ranger authorization does not require the user to have EXECUTE access on all ancestor directories.
It only requires the user to have appropriate access on the target file/directory and its
parent directory. This should make it simper for administrators to set up Ranger authorization
policies i.e. no need to ensure EXECUTE access to all ancestor directories.
 - Earlier, authorization at each level i.e. target/parent/ancestors can be granted either
by Ranger policies or by HDFS native ACLs. Now, all necessary authorizations must be either
granted by Ranger policies or by HDFS native ACLs. This does not allow an authorization to
be partly granted by Ranger policies and partly by native ACLs. 



> Update Ranger HDFS plugin to use HDFS Authorization API
> -------------------------------------------------------
>
>                 Key: RANGER-357
>                 URL: https://issues.apache.org/jira/browse/RANGER-357
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.5.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.5.0
>
>
> With HDFS-6826, HDFS supports a plugin interface to enable delegation of HDFS authorization.
Ranger HDFS plugin should be updated to use the plugin interface.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message