Shulou(Shulou.com)06/02 Report--

This article introduces you how to use Ranger to authorize HDFS, the content is very detailed, interested friends can refer to, hope to be helpful to you.

This paper mainly introduces how to use Ranger to authorize HDFS.

Document Overview

1. Introduce the default permission policy of HDFS in Ranger in CDP7.1.3

two。 Use Ranger to set permission policies for HDFS and verify

Test environment

1. Operating system Redhat7.6

2.CDP DC7.1.3

Default permission Policy of HDFS in Ranger

Log in to the http://cdp02.fayson.com:6080 page using the admin user and click cm_hdfs to enter the page

On this page, you can see that there are two policies by default. The first is the policy for hdfs users, which has all permissions for all directories by default, and rangerlookup has permission for all directories to read.

The second policy is that the keyadmin user owns the / ranger/audit/kms directory. These two policies are included with CDP after installation. It is recommended that you do not modify the permission policies of these two users at will.

Use Ranger to set permission policies for HDFS and verify

3.1HDFS authorization

Above we introduced that hdfs users have permissions for all directories if you also need to set the same permissions or permissions for all directories. You need to continue to add other permission policies to this policy, because there can only be one policy for the same directory.

First we add a user, fayson here adds a script that uses all nodes to add a fayson user.

Then check Enable Ranger Authorization in the HDFS and save the restart to take effect.

Verify the following before giving permission:

Setting fayson has read and write permissions for all directories. Setting requires a new permission condition in the all-path policy. The correct approach is as follows:

After saving the policy, click View

You cannot add a policy as follows, which will indicate that a policy [all-path] has been created for the same resource. The error is as follows:

Then verify it and create it successfully

3.2HDFS multilevel Authorization and deny condition Policy

Multi-level authorization authentication, first create two local test users, testuser1, testuser2, and create an associated group of Ranger login users on the Ranger page (ldap users can log in with a user password without doing this)

Log in to Ranger and you can see the External when you User Source. Since local Linux users cannot synchronize passwords by default, delete the default synchronized Linux in Settings > Users, and then manually associate the group to rebuild.

Click the red delete button in the upper right corner to delete, and then click Add New User. Do the following with a password of at least 8 letters containing English and letters, select the role as User, and select the associated groups as testuser1 and testuser2, respectively. The testuser2 steps are basically the same and omitted.

After manual creation, the user is displayed as follows, and the User Source is displayed as Internal can see the permission policy of the component during the current login, but no policy can be added. If you try to add a policy, saving will prompt you with the following error

Neither testuser1 nor testuser2 currently has write permission to the / test directory in hdfs

Then give the all permission to the testuser1 / test directory through the Ranger admin user, and delegate the admin permission, that is, check Delegate Admin, and then testuser1 authorizes the testuser2 to verify.

Verify the testuser1 permissions and create a directory for the permissions to be verified next. To avoid interference with the permissions of HDFS itself, all directory permissions are set to 700.

Allow Conditions policy setting and verification

The specific policy settings are as follows:

Verify as follows:

Exclude from Allow Conditions policy verification. Since the / test/Exclude directory itself testuser2 does not have read and write permissions, all permissions are given in Allow Conditions, but read permissions are excluded in Exclude from Allow Conditions. In this case, testuser2 permission has write permission but no read permission. It also confirms that the Exclude from Allow Conditions policy has taken effect and rejects the design logic of policy priority:

Deny policy verification, which is similar to the Exclude from Allow policy here, the / test/Deny directory itself testuser2 does not have any permissions, all permissions are given for verification in Allow Conditions, and deny read permissions are set in Deny Conditions. The same design logic that confirms that the Deny policy is in effect and that the rejection policy takes precedence

Set the verification testuser2 Deny Conditions policy to take effect, and switch the policy for testuser1 users to authenticate non-Deny Conditions

Exclude from Deny Conditions policy verification, also / test/ExcludeDeny because the testuser2 user does not have any permissions, all permissions for this directory are given in Allow Conditions, and then in Deny Conditions and

The Exclude from Deny Conditions settings are as follows. The result is consistent with the Deny Conditions strategy.

The setting verifies that the testuser2 Exclude from Deny Conditions policy is in effect. Since the setting of Deny Conditions is excluded, it can be read normally.

If you cancel the permission to exclude Read in Exclude from Deny Conditions, it can be written but not read, as set below

On how to use Ranger to HDFS authorization to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.