Thanks Loïc for the quick response! So, to protect PII information being accessed from admins encryption is the way ahead. Right?
On Thu, Jun 4, 2015 at 5:55 AM, Chanel Loïc <[email protected]> wrote: > Hi Suraj Nayak, > > > > As Hadoop authorizations run the same way than Unix ones, *hdfs* is the > equivalent of super user in Linux. > > So basically yes *hdfs* can bypass any rule/policy set by Ranger as it > has all the rights on the cluster. > > > > Regards, > > > > > > Loïc > > > > > > *De :* Suraj Nayak [mailto:[email protected]] > *Envoyé :* jeudi 4 juin 2015 14:48 > *À :* [email protected] > *Objet :* hdfs user can bypass policy in ranger > > > > Hi Ranger Users, > > > > Am new to Ranger. What I tried was, I created a HDFS policy for a file > created by user say *hdusr. *The policy states only hdusr can access. > Ranger behaves perfectly well by denying access to this hdfs file resource > for all users other than *hdusr* except *hdfs* user. > > > > Does this mean that *hdfs *superuser can bypass the policy and open, > rename and delete a file which is protected by Ranger policy? > > > > Thanks in advance :) > > > > -- > > Thanks > > Suraj Nayak M > > ------------------------------ > > Ce message et les pièces jointes sont confidentiels et réservés à l'usage > exclusif de ses destinataires. Il peut également être protégé par le secret > professionnel. Si vous recevez ce message par erreur, merci d'en avertir > immédiatement l'expéditeur et de le détruire. L'intégrité du message ne > pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra > être recherchée quant au contenu de ce message. Bien que les meilleurs > efforts soient faits pour maintenir cette transmission exempte de tout > virus, l'expéditeur ne donne aucune garantie à cet égard et sa > responsabilité ne saurait être recherchée pour tout dommage résultant d'un > virus transmis. > > This e-mail and the documents attached are confidential and intended > solely for the addressee; it may also be privileged. If you receive this > e-mail in error, please notify the sender immediately and destroy it. As > its integrity cannot be secured on the Internet, the Worldline liability > cannot be triggered for the message content. Although the sender endeavours > to maintain a computer virus-free network, the sender does not warrant that > this transmission is virus-free and will not be liable for any damages > resulting from any virus transmitted. > -- Thanks Suraj Nayak M
