Hi Loïc Thanks for the feedback.
I think, you are referring to the Hortonworks documentation. We have a place holder in Apache Ranger Wiki site for user guide. We can start working on it. If you can give your confluence id, we can give you edit permission. Thanks Bosco From: Chanel Loïc <loic.cha...@worldline.com> Reply-To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Date: Thursday, April 30, 2015 at 1:32 AM To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Subject: RE: Troubles with HDFS policies > Hi, > > Indeed, the page 10 of the Ranger User Guide specifies : > > ²Through configuration, Apache Ranger enables both Ranger policies and HDFS > permissions to be checked for a user request. When the NameNode receives a > user request, the Ranger plugin checks for policies set through the Ranger > Policy Manager. If there are no policies, the Ranger plugin checks for > permissions set in HDFS. > We recommend that permissions be created at the Ranger Policy Manager, and to > have restrictive permissions at the HDFS level.² > > So setting very restrictive permissions with HDFS allows to manage entirely > the cluster security with Ranger. > Still, as I noticed some small mistakes, do you know how I can contribute to > the documentation improvement ? > > Thanks for your help, > > > Loïc > > > > De : Don Bosco Durai [mailto:bdu...@hortonworks.com] De la part de Don Bosco > Durai > Envoyé : mercredi 29 avril 2015 17:45 > À : user@ranger.incubator.apache.org > Objet : Re: Troubles with HDFS policies > > > Check hdfs dfs -ls $folderName. In the case of HDFS, if Ranger doesn¹t find > any permission in it¹s policy database, then it falls back to HDFS permission > check. So make sure in the HDFS level, you have 700 or even 000 for the given > folder and manage all the permissions via Ranger. We recommend pick all > relevant folders (e.g Hive data warehouse folder) and do hdfs dfs -chown -R > hdfs:hdfs $folderName and hdfs dfs chmod 000 R $folderName. > > > > Please note, falling back to native permission is only available in HDFS. > There is a switch to turn it off, but you have to be cautious when using it. > > > > Thanks > > > > Bosco > > > > > > From: Chanel Loïc <loic.cha...@worldline.com> > Reply-To: "user@ranger.incubator.apache.org" > <user@ranger.incubator.apache.org> > Date: Wednesday, April 29, 2015 at 5:24 AM > To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> > Subject: Troubles with HDFS policies > > >> >> Hi All, >> >> As I am trying to set a Hadoop secured cluster with Ranger, I encountered >> some troubles. >> The principal one consists in the fact that even if I have no rights to read, >> write or execute files in a directory, I still can execute a ls command (hdfs >> dfs ls /testdir) showing me the files that I should not be able to read, or >> even see. I can even see the file contents by making a cat on these files >> (hdfs dfs cat /testdir/testfile) that I should not be able to read, which is >> even more problematic to me. >> In parallel, I am not able to put any files in the directory (Permission >> denied for hdfs dfs put myotherfile /testdir/myotherfile), which makes me >> think the policies are correctly set. >> >> Does that sound quite normal to you ? Do you see a solution to make sure my >> user toto cannot see what is in the repository of my user tata ? >> Thanks for your help, >> >> >> Loïc Chanel >> >> >> >> >> Ce message et les pièces jointes sont confidentiels et réservés à l'usage >> exclusif de ses destinataires. Il peut également être protégé par le secret >> professionnel. Si vous recevez ce message par erreur, merci d'en avertir >> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne >> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra >> être recherchée quant au contenu de ce message. Bien que les meilleurs >> efforts soient faits pour maintenir cette transmission exempte de tout virus, >> l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne >> saurait être recherchée pour tout dommage résultant d'un virus transmis. >> >> This e-mail and the documents attached are confidential and intended solely >> for the addressee; it may also be privileged. If you receive this e-mail in >> error, please notify the sender immediately and destroy it. As its integrity >> cannot be secured on the Internet, the Worldline liability cannot be >> triggered for the message content. Although the sender endeavours to maintain >> a computer virus-free network, the sender does not warrant that this >> transmission is virus-free and will not be liable for any damages resulting >> from any virus transmitted. > > > > Ce message et les pièces jointes sont confidentiels et réservés à l'usage > exclusif de ses destinataires. Il peut également être protégé par le secret > professionnel. Si vous recevez ce message par erreur, merci d'en avertir > immédiatement l'expéditeur et de le détruire. L'intégrité du message ne > pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra > être recherchée quant au contenu de ce message. Bien que les meilleurs efforts > soient faits pour maintenir cette transmission exempte de tout virus, > l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne > saurait être recherchée pour tout dommage résultant d'un virus transmis. > > This e-mail and the documents attached are confidential and intended solely > for the addressee; it may also be privileged. If you receive this e-mail in > error, please notify the sender immediately and destroy it. As its integrity > cannot be secured on the Internet, the Worldline liability cannot be triggered > for the message content. Although the sender endeavours to maintain a computer > virus-free network, the sender does not warrant that this transmission is > virus-free and will not be liable for any damages resulting from any virus > transmitted.
