This is my policy cache
{
"serviceName": "Arendus_hadoop",
"serviceId": 5,
"policyVersion": 11,
"policyUpdateTime": "20151217-12:39:59.171-+0200",
"policies": [
{
"service": "Arendus_hadoop",
"name": "Arendus_hadoop-1-20151216202525",
"description": "Default Policy for Service: Arendus_hadoop",
"resourceSignature": "6f956063401eda656f1eae8870c1afac",
"isAuditEnabled": true,
"resources": {
"path": {
"values": [
"/*"
],
"isExcludes": false,
"isRecursive": true
}
},
"policyItems": [
{
"accesses": [
{
"type": "read",
"isAllowed": true
},
{
"type": "write",
"isAllowed": true
},
{
"type": "execute",
"isAllowed": true
}
],
"users": [
"ambari-qa"
],
"groups": [],
"conditions": [],
"delegateAdmin": true
}
],
"id": 7,
"guid": "1450297525844_383_397",
"isEnabled": true,
"createdBy": "Admin",
"updatedBy": "Admin",
"createTime": "20151216-20:25:25.551-+0200",
"updateTime": "20151217-10:39:59.148-+0200",
"version": 11
}
],
"serviceDef": {
"name": "hdfs",
"implClass": "org.apache.ranger.services.hdfs.RangerServiceHdfs",
"label": "HDFS Repository",
"description": "HDFS Repository",
"configs": [
{
"itemId": 1,
"name": "username",
"type": "string",
"subType": "",
"mandatory": true,
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Username"
},
{
"itemId": 2,
"name": "password",
"type": "password",
"subType": "",
"mandatory": true,
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Password"
},
{
"itemId": 3,
"name": "fs.default.name",
"type": "string",
"subType": "",
"mandatory": true,
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Namenode URL"
},
{
"itemId": 4,
"name": "hadoop.security.authorization",
"type": "bool",
"subType": "YesTrue:NoFalse",
"mandatory": true,
"defaultValue": "false",
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Authorization Enabled"
},
{
"itemId": 5,
"name": "hadoop.security.authentication",
"type": "enum",
"subType": "authnType",
"mandatory": true,
"defaultValue": "simple",
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Authentication Type"
},
{
"itemId": 6,
"name": "hadoop.security.auth_to_local",
"type": "string",
"subType": "",
"mandatory": false,
"validationRegEx": "",
"validationMessage": "",
"uiHint": ""
},
{
"itemId": 7,
"name": "dfs.datanode.kerberos.principal",
"type": "string",
"subType": "",
"mandatory": false,
"validationRegEx": "",
"validationMessage": "",
"uiHint": ""
},
{
"itemId": 8,
"name": "dfs.namenode.kerberos.principal",
"type": "string",
"subType": "",
"mandatory": false,
"validationRegEx": "",
"validationMessage": "",
"uiHint": ""
},
{
"itemId": 9,
"name": "dfs.secondary.namenode.kerberos.principal",
"type": "string",
"subType": "",
"mandatory": false,
"validationRegEx": "",
"validationMessage": "",
"uiHint": ""
},
{
"itemId": 10,
"name": "hadoop.rpc.protection",
"type": "enum",
"subType": "rpcProtection",
"mandatory": false,
"defaultValue": "authentication",
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "RPC Protection Type"
},
{
"itemId": 11,
"name": "commonNameForCertificate",
"type": "string",
"subType": "",
"mandatory": false,
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Common Name for Certificate"
}
],
"resources": [
{
"itemId": 1,
"name": "path",
"type": "path",
"level": 10,
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": true,
"excludesSupported": false,
"matcher":
"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
"matcherOptions": {
"wildCard": "true",
"ignoreCase": "false"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Resource Path",
"description": "HDFS file or directory path"
}
],
"accessTypes": [
{
"itemId": 1,
"name": "read",
"label": "Read",
"impliedGrants": []
},
{
"itemId": 2,
"name": "write",
"label": "Write",
"impliedGrants": []
},
{
"itemId": 3,
"name": "execute",
"label": "Execute",
"impliedGrants": []
}
],
"policyConditions": [],
"contextEnrichers": [],
"enums": [
{
"itemId": 1,
"name": "authnType",
"elements": [
{
"itemId": 1,
"name": "simple",
"label": "Simple"
},
{
"itemId": 2,
"name": "kerberos",
"label": "Kerberos"
}
],
"defaultIndex": 0
},
{
"itemId": 2,
"name": "rpcProtection",
"elements": [
{
"itemId": 1,
"name": "authentication",
"label": "Authentication"
},
{
"itemId": 2,
"name": "integrity",
"label": "Integrity"
},
{
"itemId": 3,
"name": "privacy",
"label": "Privacy"
}
],
"defaultIndex": 0
}
],
"id": 1,
"guid": "0d047247-bafe-4cf8-8e9b-d5d377284b2d",
"isEnabled": true,
"createTime": "20151216-13:23:40.132-+0200",
"updateTime": "20151216-13:23:40.138-+0200",
"version": 1
}
}
Margus (margusja) Roo
http://margus.roo.ee
skype: margusja
+372 51 48 780
On 17/12/15 14:20, Margus Roo wrote:
Hi
I am new Ranger user and perhaps I did something wrong.
Installed Ranger via Ambari. I can log into Ranger UI and all Unix
local users are synced and there is configuration under HDFS resource
and test connection gives OK.
I can see loads of hdfs@... records with 200 under audit plugins tab.
Now I am a little confused.
I can still do all operations with HDFS. Like there is no ranger hdfs
plugin activated.
in namenode I see:
authorize.ServiceAuthorizationManager
(ServiceAuthorizationManager.java:authorize(135)) - Authorization
successful for margusja (auth:SIMPLE) for protocol=interface
org.apache.hadoop.hdfs.protocol.ClientProtocol
But I do not have any rules for margusja in Ranger.
What I expect is that user margusja will get permission denied.
I use hdfs simple auth not kerberos. Is is possible use ranger
authorization without kerberos?
