Ranger HDFS plugin - stanislawbartkowski/hdpactivedirectory GitHub Wiki

Ranger HDFS plugin

After enabling Ranger HDFS plugin, the access to HDFS file system is supervised by Ranger. There are some good practices related to it: https://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger

Cloudera CDP: https://docs.cloudera.com/cloudera-manager-ibm/7.2.3/installation/topics/cdpdc-additional-steps-ranger.html

Test

Run a simple test is to verify that group privileges declared in Ranger are handed down to group members.

Users and groups

Active Directory users and groups used for test. https://github.com/stanislawbartkowski/hdpactivedirectory/blob/master/README.md#ad-users-and-groups-used-for-testing

Make sure that users and groups are listed in Ranger. alt

HDFS test directory

As HDFS superuser, create HDFS /datalake/ directory, make hdfs user owner of the directory and set permissions as 000 to make sure that Ranger security schema gets the upper hand here.

hdfs dfs -ls /datalake hdfs dfs -chmod 000 /datalake

hdfs dfs -ls /datalake

...
d---------   - uhdfs supergroup          0 2021-02-12 12:52 /datalake
....

Ranger policy

Create a policy in Ranger and give the policy several minutes to set in. The policy is defined at the group level. dataadmin group has read/write access to the /datalake path, datascience group can only read the data. All other users should be denied while trying to access the path.

alt

Then play the test described here, it is expected to yield the same result.

https://github.com/stanislawbartkowski/wikis/wiki/HDP-2.6.5-3.1-and-Active-Directory#test2-authorization

When the test is completed, verify the Ranger/Audit panel, all denied requests are reported there. alt