Hi Ben
> Alternatively, is there any way to add the user DOMAIN\build to ranger? Ranger uses the same username that is used by HDFS. And that will depend on how your core-site.xml is configured or how the users are materialized on the linux boxes. You can check the Ranger Audits to see what is the username logged corresponding to “DOMAIN\build”. This is what HDFS passes to Ranger. Generally, it is unix OS friendly name, which you can manually add via Ranger UI. > Ideally I would like all users to be able to encrypt and decrypt data from > hdfs This is pretty straight forward in Ranger. You can create a new policy with “*” (all resources) and give the “decrypteek” permission to special group “public”. This will allow all users to decrypt the EEK and use it on the files which they have read permission. Bosco From: Benjamin Ross <br...@lattice-engines.com> Reply-To: <user@ranger.incubator.apache.org> Date: Tuesday, November 8, 2016 at 5:44 AM To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Cc: "u...@hadoop.apache.org" <u...@hadoop.apache.org> Subject: allow all users to decrypt? All, I'm in the process of configuring our system for hadoop encryption. We're nearly complete - one of the last issues is that we have a build user that needs to decrypt data to read it from hdfs. The issue is that the build user is an Active Directory user, so the username is DOMAIN\build, rather than just build. I can't add this username to ranger because the ranger UI doesn't allow adding the \ character. Ideally I would like all users to be able to encrypt and decrypt data from hdfs. It just would make our lives a lot easier - it's explicitly what we want. Is there any way to do this? Alternatively, is there any way to add the user DOMAIN\build to ranger? Worst case scenario, I can just modify the test to set HADOOP_USER_NAME to be build, but I'd prefer not to do that. Thanks in advance, Ben This message has been scanned for malware by Websense. www.websense.com
