[
https://issues.apache.org/jira/browse/RANGER-5193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kunal updated RANGER-5193:
--------------------------
Description:
If the resource path(hdfs directory) is not managed via Ranger only execute
permission is enough to traverse the directory
Whereas, if the resource path(hdfs directory) is managed via Ranger with
denyAllElse set to TRUE , user needs both Read and Execute permissions to be
given on the directory in Ranger to be able to read a sub-directory which has
full permissions for the user
Steps to re-produce:
1. Create a folder called test-db under /tmp and assign 751 permissions where
everybody has just the "execute" permissions
[hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db
[hdfs@hostname ~]$ hdfs dfs -chmod 751 /tmp/test-db
[hdfs@hostname ~]$ hdfs dfs -ls -d /tmp/test-db
drwxr-x--x - hdfs hdfs 0 2025-04-07 09:54 /tmp/test-db
2. As HDFS user create a sub-folder t1 under test-db and give complete access
only to your ID (kunal)
[hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db/t1
3. Added some files under t1 : /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -put /etc/hosts /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
{-}rw-r{-}{-}r{-}- 3 hdfs hdfs 211 2025-04-15 10:46
/tmp/test-db/t1/hosts
4. Change ownership of all files and folder of t1 to your user (kunal) and give
only your user the permission (700)
[hdfs@hostname ~]$ hdfs dfs -chown -R kunal /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -chmod -R 700 /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db
Found 1 items
drwx------ - kunal hdfs 0 2025-04-07 10:31 /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
Found 1 items
{-}rwx{-}----- 3 kunal hdfs 211 2025-04-15 10:46 /tmp/test-db/t1/hosts
5. Login as your ID and try to list the test-db/t1 folder
[kunal@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
Found 1 items
{-}rwx{-}----- 3 kunal hdfs 211 2025-04-15 10:46 /tmp/test-db/t1/hosts
Conclusion:
So , when we have no Ranger policy created on parent path (/tmp/test-db) and
execute permissions are given to everybody (751) on /tmp/test-db , as kunal
user I'm able to list the files under t1 folder and read the contents on hosts
file under /tmp/test-db/t1/hosts file
But when I create a HDFS Ranger policy on /tmp/test-db location with
"DenyAllElse" flag set to TRUE and provide kunal user only execute permission,
and another policy on its sub directory (t1) – /tmp/test-db/t1 with kunal user
full permissions (read, write , execute) , to even list the files under folder
t1 (/tmp/test-db/t1) , it expects kunal to have "read and execute" permissions
on parent directory (/tmp/test-db)
Just execute permission on parent directory must be fine similar to HDFS POSIX
permissions
[krajguru@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
ls:
org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException:
Permission denied: user=kunal, access=READ_EXECUTE, inode="/tmp/test-db/t1"
was:
If the resource path(hdfs directory) is not managed via Ranger only execute
permission is enough to traverse the directory
Whereas, if the resource path(hdfs directory) is managed via Ranger with
denyAllElse set to TRUE , user needs both Read and Execute permissions to be
given on the directory in Ranger to be able to read a sub-directory which has
full permissions for the user
Steps to re-produce:
1. Create a folder called test-db under /tmp and assign 751 permissions where
everybody has just the "execute" permissions
[hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db
[hdfs@hostname ~]$ hdfs dfs -chmod 751 /tmp/test-db
[hdfs@hostname ~]$ hdfs dfs -ls -d /tmp/test-db
drwxr-x--x - hdfs hdfs 0 2025-04-07 09:54 /tmp/test-db
2. As HDFS user create a sub-folder t1 under test-db and give complete access
only to your ID (kunal)
[hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db/t1
3. Added some files under t1 : /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -put /etc/hosts /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
-rw-r--r-- 3 hdfs hdfs 211 2025-04-15 10:46 /tmp/test-db/t1/hosts
4. Change ownership of all files and folder of t1 to your user (kunal) and give
only your user the permission (700)
[hdfs@hostname ~]$ hdfs dfs -chown -R kunal /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -chmod -R 700 /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db
Found 1 items
drwx------ - kunal hdfs 0 2025-04-07 10:31 /tmp/test-db/t1
[hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
Found 1 items
-rwx------ 3 kunal hdfs 211 2025-04-15 10:46 /tmp/test-db/t1/hosts
5. Login as your ID and try to list the test-db/t1 folder
[kunal@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
Found 1 items
-rwx------ 3 krajguru hdfs 211 2025-04-15 10:46 /tmp/test-db/t1/hosts
Conclusion:
So , when we have no Ranger policy created on parent path (/tmp/test-db) and
execute permissions are given to everybody (751) on /tmp/test-db , as kunal
user I'm able to list the files under t1 folder and read the contents on hosts
file under /tmp/test-db/t1/hosts file
But when I create a HDFS Ranger policy on /tmp/test-db location with
"DenyAllElse" flag set to TRUE and provide kunal user only execute permission,
and another policy on its sub directory (t1) -- /tmp/test-db/t1 with kunal user
full permissions (read, write , execute) , to even list the files under folder
t1 (/tmp/test-db/t1) , it expects kunal to have "read and execute" permissions
on parent directory (/tmp/test-db)
Just execute permission on parent directory must be fine similar to HDFS POSIX
permissions
[krajguru@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
ls:
org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException:
Permission denied: user=kunal, access=READ_EXECUTE, inode="/tmp/test-db/t1"
> Execute permission on HDFS folder in HDFS Ranger policy does not behave the
> same as HDFS POSIX permissions
> -----------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5193
> URL: https://issues.apache.org/jira/browse/RANGER-5193
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Kunal
> Priority: Major
>
> If the resource path(hdfs directory) is not managed via Ranger only execute
> permission is enough to traverse the directory
> Whereas, if the resource path(hdfs directory) is managed via Ranger with
> denyAllElse set to TRUE , user needs both Read and Execute permissions to be
> given on the directory in Ranger to be able to read a sub-directory which has
> full permissions for the user
> Steps to re-produce:
> 1. Create a folder called test-db under /tmp and assign 751 permissions where
> everybody has just the "execute" permissions
>
> [hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db
>
> [hdfs@hostname ~]$ hdfs dfs -chmod 751 /tmp/test-db
> [hdfs@hostname ~]$ hdfs dfs -ls -d /tmp/test-db
> drwxr-x--x - hdfs hdfs 0 2025-04-07 09:54 /tmp/test-db
>
> 2. As HDFS user create a sub-folder t1 under test-db and give complete access
> only to your ID (kunal)
>
> [hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db/t1
>
> 3. Added some files under t1 : /tmp/test-db/t1
> [hdfs@hostname ~]$ hdfs dfs -put /etc/hosts /tmp/test-db/t1
>
> [hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
> {-}rw-r{-}{-}r{-}- 3 hdfs hdfs 211 2025-04-15 10:46
> /tmp/test-db/t1/hosts
>
> 4. Change ownership of all files and folder of t1 to your user (kunal) and
> give only your user the permission (700)
> [hdfs@hostname ~]$ hdfs dfs -chown -R kunal /tmp/test-db/t1
> [hdfs@hostname ~]$ hdfs dfs -chmod -R 700 /tmp/test-db/t1
> [hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db
> Found 1 items
> drwx------ - kunal hdfs 0 2025-04-07 10:31 /tmp/test-db/t1
> [hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
> Found 1 items
> {-}rwx{-}----- 3 kunal hdfs 211 2025-04-15 10:46
> /tmp/test-db/t1/hosts
> 5. Login as your ID and try to list the test-db/t1 folder
> [kunal@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
> Found 1 items
> {-}rwx{-}----- 3 kunal hdfs 211 2025-04-15 10:46
> /tmp/test-db/t1/hosts
>
> Conclusion:
> So , when we have no Ranger policy created on parent path (/tmp/test-db) and
> execute permissions are given to everybody (751) on /tmp/test-db , as kunal
> user I'm able to list the files under t1 folder and read the contents on
> hosts file under /tmp/test-db/t1/hosts file
>
> But when I create a HDFS Ranger policy on /tmp/test-db location with
> "DenyAllElse" flag set to TRUE and provide kunal user only execute
> permission, and another policy on its sub directory (t1) – /tmp/test-db/t1
> with kunal user full permissions (read, write , execute) , to even list the
> files under folder t1 (/tmp/test-db/t1) , it expects kunal to have "read and
> execute" permissions on parent directory (/tmp/test-db)
>
> Just execute permission on parent directory must be fine similar to HDFS
> POSIX permissions
>
> [krajguru@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1
> ls:
> org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException:
> Permission denied: user=kunal, access=READ_EXECUTE, inode="/tmp/test-db/t1"
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
