Managing HDFS access per Hue user via Ranger
  • PDF

Managing HDFS access per Hue user via Ranger

  • PDF

Available in VPC

You can implement security rules for your big data ecosystem using Apache Ranger. Ranger project enables you to consistently define and implement security guidelines throughout all Hadoop applications.

This guide explains how to specify HDFS directories that are accessible by each user through Ranger's user-based access permission management feature.

Note

To use Ranger's user-based access permission management feature, the Ranger plugin must be enabled first.
For how to activate Ranger Plugin, refer to the Setting up access control with Ranger plugin guide.

Ranger architecture summary

image.png

  • When the client accesses resources, Ranger controls access in the middle on a policy basis.
  • It's possible to control access for resources of components such as Hive and HBase, as well as HDFS.

Create user using HUE

  1. Connect to the HUE UI.
    • For more information about using HUE, refer to Using HUE.
  2. Put the cursor on the profile at the lower left, and click [Manage user].
    cloudhadoop-vpc-23-hue1.png
  3. Click [Add user] at the upper right, and then create a new user by entering a username and password.
    cloudhadoop-vpc-23-hue2.png
  • The created user can be viewed from the user management page if the user has been created successfully.
  • Additionally, you can click the [File] tab on the left to see a directory with the user's name under the path /user.

Create Ranger user

  1. Access the Ranger UI, and then click the Settings > [Users/Groups] button at the top.
  2. Click the Groups tab at the top, and then click the [Add New Group] button.
  3. To add a Ranger user, click the Users tab at the top, and then click the [Add New User] button.
    • Create a user with the same username as the user previously created in HUE in the User Name field.
    • Password and First Name fields can be specified as you'd like.
    • You can choose the user is to be admin or a regular user in the Select Role field.
    • Select the previously created group for the Group field.
      cloudhadoop-vpc-23-user.png
  4. Once the user creation is completed, you can see the user list in the Ranger UI as shown above.
    cloudhadoop-vpc-23-user1.png

Create Ranger policy

  1. To set up a policy, click Access Manager > Resource Based Policies at the top.
  2. Click the [{cluster name}_hadoop] service under the HDFS tab.
    cloudhadoop-vpc-23-policy.png
  3. Click the [Add New Policy] button on the right.
    cloudhadoop-vpc-23-policy1.png
Caution

The [+] button at the right side of the [HDFS] tab creates a service, not a policy. To create a policy, click the [{cluster name}_hadoop] service, not the [+] button, and create a policy within the service.

Set resources

  • In Create Policy > Policy Details, you can set the name of the Policy and the resources you want to manage.
    cloudhadoop-vpc-23-policy2.png
  • Enter the path of the HDFS directory you'd like to control access in the [Resource Path] field.
  • The [recursive] option indicates if subdirectories are to be included or not.

Compose conditions

  • You can access HDFS from HUE, even if you haven't created a separate Ranger policy.
Note

If Ranger conditions are not set up, then HDFS and YARN will use their own ACL to control user access. Accordingly, access to HDFS is possible from HUE, even if there's no Ranger conditions. However, other components can't be accessed if no Ranger condition has been set up, even if the Ranger plugin is enabled.

  • There are two types of Ranger policy conditions: there's the allow condition to allow access and the deny condition to restrict access.
  • HDFS can be accessed without conditions, so you have to create a Ranger policy and compose the deny conditions first in order to control access to HDFS.
Note

Ranger policies check access permissions in the order of deny conditions, deny condition exceptions, allow conditions, and allow condition exceptions.

  • Click [Select User] in the Deny Conditions section to select all users to restrict access.
  • If you want to allow access only to specific users, you can specify exempt users by clicking the [Select User] item under the [Exclude from Deny Conditions] tab.
  • Please set the permissions in [Permissions].
  • When the condition is completed, click the [Add] button at the bottom to create a policy.
    cloudhadoop-vpc-23-policy3.png
  • If the access restrictions are set normally, a warning pop-up message is displayed in the upper right corner when Hue accesses the HDFS directory to which the access restrictions are applied.
  • The example below shows the screen when trying to access the directory /user/user-1 after logging in as user 'user-2'. You can see that a warning pop-up message is output because access is restricted.
    cloudhadoop-vpc-23-policy4.png

Check Ranger Audit

  • The cause of access restriction can be accurately identified through the Ranger UI.
  • Please click the [Audit] tab at the top.
    cloudhadoop-vpc-23-policy5.png
  • In the access list, you can check the directories whose access is restricted by Ranger.
  • Resources restricted by Ranger rather than HDFS's own ACL have 'ranger-acl' printed on the Access Enforcer tab instead of 'hadoop-acl'.

Was this article helpful?