Here are some scenarios that would help understand How Allow/Deny, Allow/Deny exclude work in Apache Ranger.

Suppose we have

LDAP users: smith, roger, clark and mike 

LDAP groups: developer (smith, roger), datascientist (clark, mike)

HDFS Resource: /perm

Hadoop ACL on /perm: drwxr-xr-x   - hduser supergroup

Policy applied to HDFS resource (i.e.,/perm) is as following: 

Description:

Policy explains users of Developer group can do nothing i.e., having no read, write and execute permissions except user Roger who has got all permissions. All users of DataScientist group have got all permissions i.e., Read, Write and Execute except user Mike who can't write.

 

Test_IDUserGroupCommandExpected_ResultActual_ResultPolicy Enforcer
1rogerdeveloper

hdfs dfs -ls /perm

AllowedAllowedranger-acl
2rogerdeveloper

hdfs dfs -mkdir /perm/dir1

AllowedAllowedranger-acl
3smithdeveloper

hdfs dfs -mkdir /perm/dir2

DeniedDeniedranger-acl
4smithdeveloper

hdfs dfs -ls /perm

DeniedDeniedranger-acl
5clarkdatascientist

hdfs dfs -ls /perm

AllowedAllowedranger-acl
6clarkdatascientist

hdfs dfs -mkdir /perm/dir3

AllowedAllowedranger-acl
7mikedatascientist

hdfs dfs -mkdir /perm/dir4

DependsDeniedhadoop-acl
8mikedatascientist

hdfs dfs -ls /perm

DependsAllowedhadoop-acl

Details

Test_ID_1 

As roger is a developer, Excluded from Deny condition and part of Allow condition so he is allowed to read the HDFS resource i.e., /perm

Test_ID_2

As roger is a developer, Excluded from Deny condition and part of Allow condition so he is allowed to write to HDFS resource i.e., /perm

Test_ID_3

As smith is a developer and not excluded from Deny condition so he is not allowed to write to HDFS resource i.e., /perm

Test_ID_4

As smith is a developer and not excluded from Deny condition so he is not allowed to read from HDFS resource i.e., /perm

Test_ID_5

As clark is a datascientist, part of Allow condition i.e., neither is part of Deny condition nor excluded from Allow condition, so he is allowed to read from HDFS resource i.e., /perm

Test_ID_6

As clark is a datascientist, part of Allow condition i.e., neither is part of Deny condition nor excluded from Allow condition, so he is allowed to write to HDFS resource i.e., /perm

 Test_ID_7

As mike is a datascientist, Excluded from Allow condition for permissions WRITE and EXECUTE and there are no more Policies with Allow conditions, so decision will fallback to native Hadoop ACL which does not allow mike to write to HDFS resource i.e., /perm

 Test_ID_8

As mike is a datascientist, part of Allow condition for permission READ but EXECUTE permission is excluded from Allow condition and there are no more allow conditions, so decision will fallback to native Hadoop ACL which allows mike to read from HDFS resource i.e., /perm


Note: if no allow-condition matches the request, the components like HDFS and YARN fallback to their native ACL to determine the access. Therefor Policy Enforcer in Test_ID (7,8) is Hadoop-ACL
  • No labels

1 Comment

  1. This will help clarify one of the frequently asked questions. Thanks for putting this together. Couple of comments:

     - the policy image is not visible. Consider uploading the image to the wiki and add the link to the uploaded image

     - since deny/exceptions feature is introduced in ranger-0.6, please move this wiki to "0.6 Release"