I have given you the permission. Let¹s co-ordinate on creating the user guide page.
Thanks Bosco From: Chanel Loïc <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Monday, May 4, 2015 at 1:23 AM To: "[email protected]" <[email protected]> Subject: RE: Troubles with HDFS policies > Hi Bosco, > > I just created an account on Confluence, my user ID is bartimeux. > Thanks, > > > Loïc > > > De : Don Bosco Durai [mailto:[email protected]] De la part de Don Bosco > Durai > Envoyé : vendredi 1 mai 2015 06:44 > À : [email protected] > Objet : Re: Troubles with HDFS policies > > > Hi Loïc > > > > Thanks for the feedback. > > > > I think, you are referring to the Hortonworks documentation. > > > > We have a place holder in Apache Ranger Wiki site for user guide. We can start > working on it. If you can give your confluence id, we can give you edit > permission. > > > > Thanks > > > > Bosco > > > > From: Chanel Loïc <[email protected]> > Reply-To: "[email protected]" > <[email protected]> > Date: Thursday, April 30, 2015 at 1:32 AM > To: "[email protected]" <[email protected]> > Subject: RE: Troubles with HDFS policies > > >> >> Hi, >> >> Indeed, the page 10 of the Ranger User Guide specifies : >> >> ²Through configuration, Apache Ranger enables both Ranger policies and HDFS >> permissions to be checked for a user request. When the NameNode receives a >> user request, the Ranger plugin checks for policies set through the Ranger >> Policy Manager. If there are no policies, the Ranger plugin checks for >> permissions set in HDFS. >> We recommend that permissions be created at the Ranger Policy Manager, and to >> have restrictive permissions at the HDFS level.² >> >> So setting very restrictive permissions with HDFS allows to manage entirely >> the cluster security with Ranger. >> Still, as I noticed some small mistakes, do you know how I can contribute to >> the documentation improvement ? >> >> Thanks for your help, >> >> >> Loïc >> >> >> >> De : Don Bosco Durai [mailto:[email protected]] De la part de Don Bosco >> Durai >> Envoyé : mercredi 29 avril 2015 17:45 >> À : [email protected] >> Objet : Re: Troubles with HDFS policies >> >> >> Check hdfs dfs -ls $folderName. In the case of HDFS, if Ranger doesn¹t find >> any permission in it¹s policy database, then it falls back to HDFS permission >> check. So make sure in the HDFS level, you have 700 or even 000 for the given >> folder and manage all the permissions via Ranger. We recommend pick all >> relevant folders (e.g Hive data warehouse folder) and do hdfs dfs -chown -R >> hdfs:hdfs $folderName and hdfs dfs chmod 000 R $folderName. >> >> >> >> Please note, falling back to native permission is only available in HDFS. >> There is a switch to turn it off, but you have to be cautious when using it. >> >> >> >> Thanks >> >> >> >> Bosco >> >> >> >> >> >> From: Chanel Loïc <[email protected]> >> Reply-To: "[email protected]" >> <[email protected]> >> Date: Wednesday, April 29, 2015 at 5:24 AM >> To: "[email protected]" <[email protected]> >> Subject: Troubles with HDFS policies >> >> >>> >>> Hi All, >>> >>> As I am trying to set a Hadoop secured cluster with Ranger, I encountered >>> some troubles. >>> The principal one consists in the fact that even if I have no rights to >>> read, write or execute files in a directory, I still can execute a ls >>> command (hdfs dfs ls /testdir) showing me the files that I should not be >>> able to read, or even see. I can even see the file contents by making a cat >>> on these files (hdfs dfs cat /testdir/testfile) that I should not be able >>> to read, which is even more problematic to me. >>> In parallel, I am not able to put any files in the directory (Permission >>> denied for hdfs dfs put myotherfile /testdir/myotherfile), which makes me >>> think the policies are correctly set. >>> >>> Does that sound quite normal to you ? Do you see a solution to make sure my >>> user toto cannot see what is in the repository of my user tata ? >>> Thanks for your help, >>> >>> >>> Loïc Chanel >>> >>> >>> >>> >>> Ce message et les pièces jointes sont confidentiels et réservés à l'usage >>> exclusif de ses destinataires. Il peut également être protégé par le secret >>> professionnel. Si vous recevez ce message par erreur, merci d'en avertir >>> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne >>> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra >>> être recherchée quant au contenu de ce message. Bien que les meilleurs >>> efforts soient faits pour maintenir cette transmission exempte de tout >>> virus, l'expéditeur ne donne aucune garantie à cet égard et sa >>> responsabilité ne saurait être recherchée pour tout dommage résultant d'un >>> virus transmis. >>> >>> This e-mail and the documents attached are confidential and intended solely >>> for the addressee; it may also be privileged. If you receive this e-mail in >>> error, please notify the sender immediately and destroy it. As its integrity >>> cannot be secured on the Internet, the Worldline liability cannot be >>> triggered for the message content. Although the sender endeavours to >>> maintain a computer virus-free network, the sender does not warrant that >>> this transmission is virus-free and will not be liable for any damages >>> resulting from any virus transmitted. >> >> >> >> >> Ce message et les pièces jointes sont confidentiels et réservés à l'usage >> exclusif de ses destinataires. Il peut également être protégé par le secret >> professionnel. Si vous recevez ce message par erreur, merci d'en avertir >> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne >> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra >> être recherchée quant au contenu de ce message. Bien que les meilleurs >> efforts soient faits pour maintenir cette transmission exempte de tout virus, >> l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne >> saurait être recherchée pour tout dommage résultant d'un virus transmis. >> >> This e-mail and the documents attached are confidential and intended solely >> for the addressee; it may also be privileged. If you receive this e-mail in >> error, please notify the sender immediately and destroy it. As its integrity >> cannot be secured on the Internet, the Worldline liability cannot be >> triggered for the message content. Although the sender endeavours to maintain >> a computer virus-free network, the sender does not warrant that this >> transmission is virus-free and will not be liable for any damages resulting >> from any virus transmitted. > > > > Ce message et les pièces jointes sont confidentiels et réservés à l'usage > exclusif de ses destinataires. Il peut également être protégé par le secret > professionnel. Si vous recevez ce message par erreur, merci d'en avertir > immédiatement l'expéditeur et de le détruire. L'intégrité du message ne > pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra > être recherchée quant au contenu de ce message. Bien que les meilleurs efforts > soient faits pour maintenir cette transmission exempte de tout virus, > l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne > saurait être recherchée pour tout dommage résultant d'un virus transmis. > > This e-mail and the documents attached are confidential and intended solely > for the addressee; it may also be privileged. If you receive this e-mail in > error, please notify the sender immediately and destroy it. As its integrity > cannot be secured on the Internet, the Worldline liability cannot be triggered > for the message content. Although the sender endeavours to maintain a computer > virus-free network, the sender does not warrant that this transmission is > virus-free and will not be liable for any damages resulting from any virus > transmitted.
