Managing HDFS access per Hue user via Ranger
  • PDF

Managing HDFS access per Hue user via Ranger

  • PDF

It is available in a VPC environment.

You can implement security rules for your big data ecosystem using Apache Ranger. Ranger project enables you to consistently define and implement security guidelines throughout all Hadoop applications.

This guide explains how to specify HDFS directories that are accessible by each user through Ranger's user-based access permission management feature.

Note

To use Ranger's user-based access permission management feature, the Ranger plugin must be enabled first.
Refer to Ranger plugin activation guide for how to enable the Ranger plugin.

Ranger architecture summary

image.png

  • When the client accesses resources, Ranger controls access in the middle on a policy basis.
  • It's possible to control access for resources of components such as Hive and HBase, as well as HDFS.

Create user using HUE

  1. Connect to the HUE UI.
    • For more information about using HUE, refer to Using HUE.
  2. Put the cursor on the profile at the lower left, and click [Manage user].

cloudhadoop-vpc-23-hue1.png

  1. Click [Add user] at the upper right, and then create a new user by entering a username and password.

cloudhadoop-vpc-23-hue2.png

  • The created user can be viewed from the user management page if the user has been created successfully.
  • Additionally, you can click the [File] tab on the left to see a directory with the user's name under the path /user.

Create Ranger user

  1. Access the Ranger UI, and then click the Settings > [Users/Groups] button at the top.
  2. Click the Groups tab at the top, and then click the [Add New Group] button.
  3. To add a Ranger user, click the Users tab at the top, and then click the [Add New User] button.

image.png

  • Create a user with the same username as the user previously created in HUE in the User Name field.
  • Password and First Name fields can be specified as you'd like.
  • You can choose the user is to be admin or a regular user in the Select Role field.
  • Select the previously created group for the Group field.

image.png

  • Once the user creation is completed, you can see the user list in the Ranger UI as shown above.

Create Ranger policy

  1. To set up a policy, click Access Manager > Resource Based Policies at the top.
  2. Click the [{cluster name}_hadoop] service under the HDFS tab.

image.png

  1. Click the [Add New Policy] button on the right.

image.png

Warning

The [+] button at the right side of the [HDFS] tab creates a service, not a policy. To create a policy, click the [{cluster name}_hadoop] service, not the [+] button, and create a policy within the service.

Set resources

  • You can set up a policy's name and resources you want to manage in the [Policy Details] field.

image.png

  • Enter the path of the HDFS directory you'd like to control access in the [Resource Path] field.
  • The [recursive] option indicates if subdirectories are to be included or not.

Compose conditions

  • You can access HDFS from HUE, even if you haven't created a separate Ranger policy.
Note

If Ranger conditions are not set up, then HDFS and YARN will use their own ACL to control user access. Accordingly, access to HDFS is possible from HUE, even if there's no Ranger conditions. However, other components can't be accessed if no Ranger condition has been set up, even if the Ranger plugin is enabled.

  • There are two types of Ranger policy conditions: there's the allow condition to allow access and the deny condition to restrict access.
  • HDFS can be accessed without conditions, so you have to create a Ranger policy and compose the deny conditions first in order to control access to HDFS.
Note

Ranger policies check access permissions in the order of deny conditions, deny condition exceptions, allow conditions, and allow condition exceptions.

image.png

  • Click the [Select User] item under the [Deny Conditions] tab, and then click all users you want to deny access.
  • To configure it to allow access only to certain users, you can click the [Select User] item under the [Exclude from Deny Conditions] tab to specify users who are excepted from the condition.
  • Once you've specified all conditions, click the [Add] button at the bottom to create the policy.

image.png

  • If the access control has been set up successfully, then an access attempt from HUE to a HDFS directory, to which the access control is applied, will display a warning pop-up message at the upper right.
  • The example above shows the page when an access attempt to the /user/user-1 directory is made after logging in as the user "user-2." You can see that the access is denied, and a warning pop-up message has appeared.

Check Ranger audit

You can find out exactly why an access is denied through the Ranger UI.

  • Click the [Audit] button at the upper right of the page.

image.png

  • You can see the directories whose access is restricted by Ranger in the access list.
  • For the resources on which the restriction is imposed by Ranger, rather than HDFS's own ACL, you can see "ranger-acl" is shown under the Access Enforcer, rather than "hadoop-acl."

Was this article helpful?