Kunal created RANGER-5193:
-----------------------------
Summary: Execute permission on HDFS folder in HDFS Ranger policy
does not behave the same as HDFS POSIX permissions
Key: RANGER-5193
URL: https://issues.apache.org/jira/browse/RANGER-5193
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Kunal
If the resource path(hdfs directory) is not managed via Ranger only execute
permission is enough to traverse the directory
Whereas, if the resource path(hdfs directory) is managed via Ranger with
denyAllElse set to TRUE , user needs both Read and Execute permissions to be
given on the directory in Ranger to be able to read a sub-directory which has
full permissions for the user
Steps to re-produce:
1. Create a folder called test-db under /tmp and assign 751 permissions where
everybody has just the "execute" permissions
[hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db
[hdfs@hostname ~]$ hdfs dfs -chmod 751 /tmp/test-db
[hdfs@hostname ~]$ hdfs dfs -ls -d /tmp/test-db
drwxr-x--x - hdfs hdfs 0 2025-04-07 09:54 /tmp/test-db
2. As HDFS user create a sub-folder t1 under test-db and give complete access
only to your ID (kunal)
[hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db/t1
3. Added some files under t1 : /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -put /etc/hosts /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
-rw-r--r-- 3 hdfs hdfs 211 2025-04-15 10:46 /tmp/test-db/t1/hosts
4. Change ownership of all files and folder of t1 to your user (kunal) and give
only your user the permission (700)
[hdfs@hostname ~]$ hdfs dfs -chown -R kunal /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -chmod -R 700 /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db
Found 1 items
drwx------ - kunal hdfs 0 2025-04-07 10:31 /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
Found 1 items
-rwx------ 3 kunal hdfs 211 2025-04-15 10:46 /tmp/test-db/t1/hosts
5. Login as your ID and try to list the test-db/t1 folder
[kunal@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
Found 1 items
-rwx------ 3 krajguru hdfs 211 2025-04-15 10:46 /tmp/test-db/t1/hosts
Conclusion:
So , when we have no Ranger policy created on parent path (/tmp/test-db) and
execute permissions are given to everybody (751) on /tmp/test-db , as kunal
user I'm able to list the files under t1 folder and read the contents on hosts
file under /tmp/test-db/t1/hosts file
But when I create a HDFS Ranger policy on /tmp/test-db location with
"DenyAllElse" flag set to TRUE and provide kunal user only execute permission,
and another policy on its sub directory (t1) -- /tmp/test-db/t1 with kunal user
full permissions (read, write , execute) , to even list the files under folder
t1 (/tmp/test-db/t1) , it expects kunal to have "read and execute" permissions
on parent directory (/tmp/test-db)
Just execute permission on parent directory must be fine similar to HDFS POSIX
permissions
[krajguru@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
ls:
org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException:
Permission denied: user=kunal, access=READ_EXECUTE, inode="/tmp/test-db/t1"
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
