Kunal created RANGER-5193:
-----------------------------

             Summary: Execute permission on HDFS folder in HDFS Ranger policy 
does not behave the same as HDFS POSIX permissions 
                 Key: RANGER-5193
                 URL: https://issues.apache.org/jira/browse/RANGER-5193
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
            Reporter: Kunal


If the resource path(hdfs directory) is not managed via Ranger only execute 
permission is enough to traverse the directory
Whereas, if the resource path(hdfs directory) is managed via Ranger with 
denyAllElse set to TRUE , user needs both Read and Execute permissions to be 
given on the directory in Ranger to be able to read a sub-directory which has 
full permissions for the user

Steps to re-produce:

1. Create a folder called test-db under /tmp and assign 751 permissions where 
everybody has just the "execute" permissions

 

[hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db

 

[hdfs@hostname ~]$ hdfs dfs -chmod 751 /tmp/test-db


[hdfs@hostname ~]$ hdfs dfs -ls -d /tmp/test-db
drwxr-x--x   - hdfs hdfs          0 2025-04-07 09:54 /tmp/test-db

 

2. As HDFS user create a sub-folder t1 under test-db and give complete access 
only to your ID (kunal)

 

[hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db/t1

 

3. Added some files under t1 : /tmp/test-db/t1

[hdfs@hostname ~]$ hdfs dfs -put /etc/hosts /tmp/test-db/t1

 

[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1

-rw-r--r--   3 hdfs     hdfs        211 2025-04-15 10:46 /tmp/test-db/t1/hosts

 

4. Change ownership of all files and folder of t1 to your user (kunal) and give 
only your user the permission (700)

[hdfs@hostname ~]$ hdfs dfs -chown -R kunal /tmp/test-db/t1


[hdfs@hostname ~]$ hdfs dfs -chmod -R 700 /tmp/test-db/t1

[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db
Found 1 items
drwx------   - kunal hdfs          0 2025-04-07 10:31 /tmp/test-db/t1


[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
Found 1 items
-rwx------   3 kunal hdfs        211 2025-04-15 10:46 /tmp/test-db/t1/hosts


5. Login as your ID and try to list the test-db/t1 folder

[kunal@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
Found 1 items
-rwx------   3 krajguru hdfs        211 2025-04-15 10:46 /tmp/test-db/t1/hosts

 

Conclusion:

So , when we have no Ranger policy created on parent path (/tmp/test-db) and 
execute permissions are given to everybody (751) on /tmp/test-db , as kunal 
user I'm able to list the files under t1 folder and read the contents on hosts 
file under /tmp/test-db/t1/hosts file

 

But when I create a HDFS Ranger policy on /tmp/test-db location with 
"DenyAllElse" flag set to TRUE and provide kunal user only execute permission, 
and another policy on its sub directory (t1) -- /tmp/test-db/t1 with kunal user 
full permissions (read, write , execute) , to even list the files under folder 
t1 (/tmp/test-db/t1) , it expects kunal to have "read and execute" permissions 
on parent directory (/tmp/test-db)

 

Just execute permission on parent directory must be fine similar to HDFS POSIX 
permissions

 

[krajguru@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
ls: 
org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException: 
Permission denied: user=kunal, access=READ_EXECUTE, inode="/tmp/test-db/t1"



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to