Manage HDFS access permissions by user with Ranger

Prev Next

Available in VPC

Implementing security rules for the big data ecosystem with Apache Ranger is possible. The Ranger project enables security guidelines to be defined and enforced in a uniform way across all Hadoop applications.

This guide explains how to designate accessible HDFS directories per user using Ranger’s user-based access permissions management feature.

Note

To use Ranger’s user-based access permissions management, the Ranger Plugin must be enabled in advance.
For instructions on enabling the Ranger Plugin, see Configure Ranger Plugin access control.

Summary of Ranger architecture

image

  • When a client attempts to access a resource, Ranger enforces access control based on defined policies.
  • Access control can also be applied to resources of components such as Hive and HBase in addition to HDFS.

Create a user in Hue

  1. Access the Hue Web UI.
    • For more information about using Hue, see Using Hue guide.
  2. Hover over the profile icon at the bottom-left corner and click [Manage user].
    cloudhadoop-vpc-23-hue1
  3. Click [Add user] in the upper-right corner, then enter a username and password to create a new user.
    cloudhadoop-vpc-23-hue2
  • Once successfully created, the user will appear on the user management page.
  • You can also verify that a directory with the user’s name has been created under /user by clicking the File menu in the left navigation bar.

Create Ranger user

  1. Access the Ranger UI, and click Settings > [Users/Groups/Roles] at the top.
  2. Click Groups > [Add New Group] to create a group.
  3. To add a Ranger user, click the [Users] tab at the top, then click [Add New User].
    • Enter the same username created in Hue under the User Name field.
    • The Password and First Name fields can be set freely.
    • In the Select Role field, choose either Admin or User.
    • Select the previously created group in the Group field.
      cloudhadoop-vpc-23-user
  4. After user creation is complete, you can verify the user list in the Ranger UI.
    cloudhadoop-vpc-23-user1

Create Ranger Policy

  1. To configure a policy, click Access Manager > Resource Based Policies at the top.
  2. Under the [HDFS] tab, click the [{Cluster name}_hadoop] service.
    cloudhadoop-vpc-23-policy
  3. Click [Add New Policy] on the right.
    cloudhadoop-vpc-23-policy1
Caution

The [+] button on the right side of the [HDFS] tab is used to create a service, not a policy. To create a policy, select the [{Cluster name}_hadoop] service, instead of the [+] button, and create the policy within the service.

Resource Settings

  • Under Create Policy > Policy Details, specify the policy name and the resource to manage.
    cloudhadoop-vpc-23-policy2
  • In the [Resource Path] field, enter the HDFS directory path to control access.
  • The [recursive] option determines whether subdirectories are included.

Define conditions

  • Even if no Ranger policy is created, HDFS access is available through Hue.
Note

If no Ranger condition is defined, HDFS and YARN manage access using their native ACL mechanisms. Therefore, even if a Ranger condition does not exist, HDFS access from Hue is still allowed. However, for other components, if the Ranger plugin is enabled but no Ranger condition is configured, access will be restricted.

  • The condition in a Ranger policy consists of two types: Allow condition to grant access and Deny condition to restrict access.
  • Since HDFS access is permitted even without a condition, you must first create a Ranger policy and configure a Deny condition to restrict HDFS access.
Note

Ranger policy evaluates access permissions in the following order: Deny condition, Deny condition exceptions, Allow condition, and Allow condition exceptions.

  • In the Deny Conditions section, click [Select User] and select all users whose access should be restricted.
  • To allow access only to specific users, click [Select User] under the [Exclude from Deny Conditions] tab and designate the exception users.
  • Configure the required permissions in [Permissions].
  • Once the condition configuration is complete, click [Add] at the bottom to create the policy.
    cloudhadoop-vpc-23-policy3
  • If access restriction has been successfully configured, a warning popup message will appear in the upper-right corner when attempting to access the restricted HDFS directory from Hue.
  • The example below shows the interface when logging in as user "user-2" and attempting to access the /user/user-1 directory. You can confirm that a warning popup message is displayed due to access restriction.
    cloudhadoop-vpc-23-policy4

Verify Ranger audit

  • The exact reason for the access restriction can be identified through the Ranger UI.
  • Click the [Audit] tab at the top.
    cloudhadoop-vpc-23-policy5
  • In the access list, you can verify the directory whose access was restricted by Ranger.
  • For resources restricted by Ranger rather than by HDFS native ACL, the Access Enforcer tab displays ranger-acl instead of hadoop-acl.
Business Registration Number: 129-86-31394 E-commerce Permit Number:No. 2009-GyeonggiSeongnam-0510
CEO: Kim Yuwon Address: NAVER Green Factory 17th–26th Floors, Buljeong-ro 6, Bundang-gu, Seongnam-si, Gyeonggi-do 13561, Republic of Korea. Customer Support Number: 1544-5876
© NAVER Cloud Corp. All Rights Reserved.