[
https://issues.apache.org/jira/browse/RANGER-5193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17953114#comment-17953114
]
Chinmay N Hegde edited comment on RANGER-5193 at 5/21/25 10:55 AM:
-------------------------------------------------------------------
[~guru] may I please know which version of Ranger you are using
was (Author: JIRAUSER309092):
[~guru] may I please know which Ranger version are you using
> Execute permission on HDFS folder in HDFS Ranger policy does not behave the
> same as HDFS POSIX permissions
> -----------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5193
> URL: https://issues.apache.org/jira/browse/RANGER-5193
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Kunal
> Priority: Major
>
> If the resource path(hdfs directory) is not managed via Ranger only execute
> permission is enough to traverse the directory
> Whereas, if the resource path(hdfs directory) is managed via Ranger with
> denyAllElse set to TRUE , user needs both Read and Execute permissions to be
> given on the directory in Ranger to be able to read a sub-directory which has
> full permissions for the user
> Steps to re-produce:
> 1. Create a folder called test-db under /tmp and assign 751 permissions where
> everybody has just the "execute" permissions
>
> [hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db
>
> [hdfs@hostname ~]$ hdfs dfs -chmod 751 /tmp/test-db
> [hdfs@hostname ~]$ hdfs dfs -ls -d /tmp/test-db
> drwxr-x--x - hdfs hdfs 0 2025-04-07 09:54 /tmp/test-db
>
> 2. As HDFS user create a sub-folder t1 under test-db and give complete access
> only to your ID (kunal)
>
> [hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db/t1
>
> 3. Added some files under t1 : /tmp/test-db/t1
> [hdfs@hostname ~]$ hdfs dfs -put /etc/hosts /tmp/test-db/t1
>
> [hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
> {-}rw-r{-}{-}r{-}- 3 hdfs hdfs 211 2025-04-15 10:46
> /tmp/test-db/t1/hosts
>
> 4. Change ownership of all files and folder of t1 to your user (kunal) and
> give only your user the permission (700)
> [hdfs@hostname ~]$ hdfs dfs -chown -R kunal /tmp/test-db/t1
> [hdfs@hostname ~]$ hdfs dfs -chmod -R 700 /tmp/test-db/t1
> [hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db
> Found 1 items
> drwx------ - kunal hdfs 0 2025-04-07 10:31 /tmp/test-db/t1
> [hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
> Found 1 items
> {-}rwx{-}----- 3 kunal hdfs 211 2025-04-15 10:46
> /tmp/test-db/t1/hosts
> 5. Login as your ID and try to list the test-db/t1 folder
> [kunal@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
> Found 1 items
> {-}rwx{-}----- 3 kunal hdfs 211 2025-04-15 10:46
> /tmp/test-db/t1/hosts
>
> Conclusion:
> So , when we have no Ranger policy created on parent path (/tmp/test-db) and
> execute permissions are given to everybody (751) on /tmp/test-db , as kunal
> user I'm able to list the files under t1 folder and read the contents on
> hosts file under /tmp/test-db/t1/hosts file
>
> But when I create a HDFS Ranger policy on /tmp/test-db location with
> "DenyAllElse" flag set to TRUE and provide kunal user only execute
> permission, and another policy on its sub directory (t1) – /tmp/test-db/t1
> with kunal user full permissions (read, write , execute) , to even list the
> files under folder t1 (/tmp/test-db/t1) , it expects kunal to have "read and
> execute" permissions on parent directory (/tmp/test-db)
>
> Just execute permission on parent directory must be fine similar to HDFS
> POSIX permissions
>
> [kunal@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
> ls:
> org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException:
> Permission denied: user=kunal, access=READ_EXECUTE, inode="/tmp/test-db/t1"
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
