Hi Ranger Users, Few more questions:
- I enabled auditing for a HDFS resource */demo/card_data* and added policy that only a specific group can access this. As *hdfs* is superuser in hadoop world, hdfs can bypass the rules set by ranger. But when I checked the auditing section for this HDFS resource */demo/card_data*, *hdfs *users audit logs were not found. In fact, no audit logs are captured for any access done by *hdfs* user. What is the expected behaviour? - If there is a global policy which states */demo/* *recursively has *public* access, along with a policy which states that */demo/card_data* is accessible only to *hdusr*, then a global policy is applied and anyone can access */demo *resource recursively. What is the expected behaviour? - Can i somehow have negation condition which overriders all policies. Say */demo *had global access policy and other policy states except *hdfs* supergroup every user should be able to access the HDFS resource. Thanks in advance! On Thu, Jun 4, 2015 at 6:17 AM, Suraj Nayak <[email protected]> wrote: > Thanks Loïc for the quick response! So, to protect PII information being > accessed from admins encryption is the way ahead. Right? > > On Thu, Jun 4, 2015 at 5:55 AM, Chanel Loïc <[email protected]> > wrote: > >> Hi Suraj Nayak, >> >> >> >> As Hadoop authorizations run the same way than Unix ones, *hdfs* is the >> equivalent of super user in Linux. >> >> So basically yes *hdfs* can bypass any rule/policy set by Ranger as it >> has all the rights on the cluster. >> >> >> >> Regards, >> >> >> >> >> >> Loïc >> >> >> >> >> >> *De :* Suraj Nayak [mailto:[email protected]] >> *Envoyé :* jeudi 4 juin 2015 14:48 >> *À :* [email protected] >> *Objet :* hdfs user can bypass policy in ranger >> >> >> >> Hi Ranger Users, >> >> >> >> Am new to Ranger. What I tried was, I created a HDFS policy for a file >> created by user say *hdusr. *The policy states only hdusr can access. >> Ranger behaves perfectly well by denying access to this hdfs file resource >> for all users other than *hdusr* except *hdfs* user. >> >> >> >> Does this mean that *hdfs *superuser can bypass the policy and open, >> rename and delete a file which is protected by Ranger policy? >> >> >> >> Thanks in advance :) >> >> >> >> -- >> >> Thanks >> >> Suraj Nayak M >> >> ------------------------------ >> >> Ce message et les pièces jointes sont confidentiels et réservés à l'usage >> exclusif de ses destinataires. Il peut également être protégé par le secret >> professionnel. Si vous recevez ce message par erreur, merci d'en avertir >> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne >> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra >> être recherchée quant au contenu de ce message. Bien que les meilleurs >> efforts soient faits pour maintenir cette transmission exempte de tout >> virus, l'expéditeur ne donne aucune garantie à cet égard et sa >> responsabilité ne saurait être recherchée pour tout dommage résultant d'un >> virus transmis. >> >> This e-mail and the documents attached are confidential and intended >> solely for the addressee; it may also be privileged. If you receive this >> e-mail in error, please notify the sender immediately and destroy it. As >> its integrity cannot be secured on the Internet, the Worldline liability >> cannot be triggered for the message content. Although the sender endeavours >> to maintain a computer virus-free network, the sender does not warrant that >> this transmission is virus-free and will not be liable for any damages >> resulting from any virus transmitted. >> > > > > -- > Thanks > Suraj Nayak M > -- Thanks Suraj Nayak M
