[jira] [Updated] (RANGER-3337) Ranger policy not taking effect with HDFS Snapshots

Thu, 15 Jul 2021 06:42:05 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-3337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3337:
-----------------------------------------
    Fix Version/s: 2.2.0
                   3.0.0

> Ranger policy not taking effect with HDFS Snapshots
> ---------------------------------------------------
>
>                 Key: RANGER-3337
>                 URL: https://issues.apache.org/jira/browse/RANGER-3337
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Abhay Kulkarni
>            Assignee: Abhay Kulkarni
>            Priority: Major
>             Fix For: 3.0.0, 2.2.0
>
>
> Steps to reproduce the issue:
> Step 1
> ======
> Create a new HDFS policy in Ranger.
> Policy Details:
>  - Policy Name: testcase
>  - Resource Path: /testcase
> Allow Conditions:
>  - Select User: testuser
>  - Enabled: yes
>  - Recursive: yes
>  - Audit Logging: yes
>  - Permissions: Read, Write, Execute
> Make a note of the Policy ID of the new policy. In my case, it was Policy ID 
> 1976.
> Note that "testuser" should be a non-privileged account. On my cluster I'm 
> using "testuser", but you may choose something different.
> Step 2
> ======
> Run the following commands whilst authenticated as the "hdfs" superuser:
> $ hdfs dfs -mkdir -p /testcase/dir1
> $ hdfs dfsadmin -allowSnapshot /testcase
> $ hdfs dfs -createSnapshot /testcase s1
> Step 3
> ======
> Run the following commands whilst authenticated as the "testuser" user:
> $ hdfs dfs -ls /testcase
> $ hdfs dfs -ls /testcase/dir1
> $ hdfs dfs -ls /testcase/.snapshot/s1
> NOTE: you might get a permission denied error when you run "hdfs dfs -ls 
> /testcase/.snapshot/s1". For the purposes of this test case, it does not 
> matter whether the command succeeds
> Step 4
> ======
> Review the Ranger audit log for the 3 commands you just ran to notice the 
> following:
>  - The policy id in first command (hdfs dfs -ls /testcase) is the policy id 
> of the policy created in step 1, e.g. 1976
>  - The policy id in second command (hdfs dfs -ls /testcase/dir1) is the 
> policy id for the policy created in step 1, e.g. 1976
>  - The policy id in the third command (hdfs dfs -ls /testcase/.snapshot/s1) 
> is "-1", e.g. Ranger did not find a matching policy
> Therefore, Ranger HDFS policy is not evaluated for HDFS snapshots.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to