[jira] [Commented] (RANGER-357) Update Ranger HDFS plugin to use HDFS Authorization API

Mon, 14 Mar 2016 14:34:07 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15194186#comment-15194186
 ] 

Madhan Neethiraj commented on RANGER-357:
-----------------------------------------

Ranger HDFS plugin update to use the HDFS authorization API results in few 
changes in Ranger authorization of access to HDFS files/directories. These 
changes are detailed below.

Before looking at the change details, lets take a look at few details of HDFS 
native authorization. For an user to access a HDFS file/directory, HDFS native 
authorization requires the user to have EXECUTE access on all ancestor 
directories and appropriate accesses on the target file/directory and its 
parent directory, as shown in the following examples:

{noformat}
 --------------------------------------------
| Command       | Target | Parent | Ancestors |
|---------------------------------------------|
| mkdir         |   -    |   WX   |     X     |     
|---------------------------------------------|
| rmdir         |   RX   |   WX   |     X     |     
|---------------------------------------------|
| copyFromLocal |   -    |   WX   |     X     |     
|---------------------------------------------|
| rm            |   -    |   WX   |     X     |     
|---------------------------------------------|
| cat           |   R    |    X   |     X     |     
|---------------------------------------------|
| appendToFile  |   W    |    X   |     X     |     
|---------------------------------------------|
| ls            |   RX    |   X   |     X     |     
 --------------------------------------------
{noformat}

Now to the details of the changes in Ranger authorization since integration 
with HDFS pluggable authorization API:
 - Ranger authorization does not require the user to have EXECUTE access on all 
ancestor directories. It only requires the user to have appropriate access on 
the target file/directory and its parent directory. This should make it simper 
for administrators to set up Ranger authorization policies i.e. no need to 
ensure EXECUTE access to all ancestor directories.
 - Earlier, authorization at each level i.e. target/parent/ancestors can be 
granted either by Ranger policies or by HDFS native ACLs. Now, all necessary 
authorizations must be either granted by Ranger policies or by HDFS native 
ACLs. This does not allow an authorization to be partly granted by Ranger 
policies and partly by native ACLs. 



> Update Ranger HDFS plugin to use HDFS Authorization API
> -------------------------------------------------------
>
>                 Key: RANGER-357
>                 URL: https://issues.apache.org/jira/browse/RANGER-357
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.5.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.5.0
>
>
> With HDFS-6826, HDFS supports a plugin interface to enable delegation of HDFS 
> authorization. Ranger HDFS plugin should be updated to use the plugin 
> interface.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to