Abhay Kulkarni created RANGER-3337:
--------------------------------------
Summary: Ranger policy not taking effect with HDFS Snapshots
Key: RANGER-3337
URL: https://issues.apache.org/jira/browse/RANGER-3337
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Abhay Kulkarni
Assignee: Abhay Kulkarni
Steps to reproduce the issue:
Step 1
======
Create a new HDFS policy in Ranger.
Policy Details:
- Policy Name: testcase
- Resource Path: /testcase
Allow Conditions:
- Select User: testuser
- Enabled: yes
- Recursive: yes
- Audit Logging: yes
- Permissions: Read, Write, Execute
Make a note of the Policy ID of the new policy. In my case, it was Policy ID
1976.
Note that "testuser" should be a non-privileged account. On my cluster I'm
using "testuser", but you may choose something different.
Step 2
======
Run the following commands whilst authenticated as the "hdfs" superuser:
$ hdfs dfs -mkdir -p /testcase/dir1
$ hdfs dfsadmin -allowSnapshot /testcase
$ hdfs dfs -createSnapshot /testcase s1
Step 3
======
Run the following commands whilst authenticated as the "testuser" user:
$ hdfs dfs -ls /testcase
$ hdfs dfs -ls /testcase/dir1
$ hdfs dfs -ls /testcase/.snapshot/s1
NOTE: you might get a permission denied error when you run "hdfs dfs -ls
/testcase/.snapshot/s1". For the purposes of this test case, it does not matter
whether the command succeeds
Step 4
======
Review the Ranger audit log for the 3 commands you just ran to notice the
following:
- The policy id in first command (hdfs dfs -ls /testcase) is the policy id of
the policy created in step 1, e.g. 1976
- The policy id in second command (hdfs dfs -ls /testcase/dir1) is the policy
id for the policy created in step 1, e.g. 1976
- The policy id in the third command (hdfs dfs -ls /testcase/.snapshot/s1) is
"-1", e.g. Ranger did not find a matching policy
Therefore, Ranger HDFS policy is not evaluated for HDFS snapshots.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
