Managing HDFS access per Hue user via Ranger

Available in VPC

You can implement security rules for your big data ecosystem using Apache Ranger. Ranger project enables you to consistently define and implement security guidelines throughout all Hadoop applications.

This guide explains how to specify HDFS directories that are accessible by each user through Ranger's user-based access permission management feature.

Ranger architecture summary

• When the client accesses resources, Ranger controls access in the middle on a policy basis.
• It's possible to control access for resources of components such as Hive and HBase, as well as HDFS.

Create user using HUE

1. Connect to the HUE UI.
   • For more information about using HUE, refer to Using HUE.
2. Put the cursor on the profile at the lower left, and click [Manage user].
   
3. Click [Add user] at the upper right, and then create a new user by entering a username and password.
   

• The created user can be viewed from the user management page if the user has been created successfully.
• Additionally, you can click the [File] tab on the left to see a directory with the user's name under the path /user.

Create Ranger user

1. Access the Ranger UI, and then click the Settings > [Users/Groups] button at the top.
2. Click the Groups tab at the top, and then click the [Add New Group] button.
3. To add a Ranger user, click the Users tab at the top, and then click the [Add New User] button.
   • Create a user with the same username as the user previously created in HUE in the User Name field.
   • Password and First Name fields can be specified as you'd like.
   • You can choose the user is to be admin or a regular user in the Select Role field.
   • Select the previously created group for the Group field.
     
4. Once the user creation is completed, you can see the user list in the Ranger UI as shown above.
   

Create Ranger policy

1. To set up a policy, click Access Manager > Resource Based Policies at the top.
2. Click the [{cluster name}_hadoop] service under the HDFS tab.
   
3. Click the [Add New Policy] button on the right.
   

Set resources

• In Create Policy > Policy Details, you can set the name of the Policy and the resources you want to manage.
  
• Enter the path of the HDFS directory you'd like to control access in the [Resource Path] field.
• The [recursive] option indicates if subdirectories are to be included or not.

Compose conditions

• You can access HDFS from HUE, even if you haven't created a separate Ranger policy.

• There are two types of Ranger policy conditions: there's the allow condition to allow access and the deny condition to restrict access.
• HDFS can be accessed without conditions, so you have to create a Ranger policy and compose the deny conditions first in order to control access to HDFS.

• Click [Select User] in the Deny Conditions section to select all users to restrict access.
• If you want to allow access only to specific users, you can specify exempt users by clicking the [Select User] item under the [Exclude from Deny Conditions] tab.
• Please set the permissions in [Permissions].
• When the condition is completed, click the [Add] button at the bottom to create a policy.
  
• If the access restrictions are set normally, a warning pop-up message is displayed in the upper right corner when Hue accesses the HDFS directory to which the access restrictions are applied.
• The example below shows the screen when trying to access the directory /user/user-1 after logging in as user 'user-2'. You can see that a warning pop-up message is output because access is restricted.
  

Check Ranger Audit

• The cause of access restriction can be accurately identified through the Ranger UI.
• Please click the [Audit] tab at the top.
  
• In the access list, you can check the directories whose access is restricted by Ranger.
• Resources restricted by Ranger rather than HDFS's own ACL have 'ranger-acl' printed on the Access Enforcer tab instead of 'hadoop-acl'.