Here are some scenarios that would help understand How Allow/Deny, Allow/Deny exclude work in Apache Ranger.
Suppose we have
LDAP users: smith, roger, clark and mike
LDAP groups: developer (smith, roger), datascientist (clark, mike)
HDFS Resource: /perm
Hadoop ACL on /perm: drwxr-xr-x - hduser supergroup
Policy applied to HDFS resource (i.e.,/perm) is as following:
Description:
Policy explains users of Developer group can do nothing i.e., having no read, write and execute permissions except user Roger who has got all permissions. All users of DataScientist group have got all permissions i.e., Read, Write and Execute except user Mike who can't write.
| Test_ID | User | Group | Command | Expected_Result | Actual_Result | Policy Enforcer |
|---|---|---|---|---|---|---|
| 1 | roger | developer | hdfs dfs -ls /perm | Allowed | Allowed | ranger-acl |
| 2 | roger | developer | hdfs dfs -mkdir /perm/dir1 | Allowed | Allowed | ranger-acl |
| 3 | smith | developer | hdfs dfs -mkdir /perm/dir2 | Denied | Denied | ranger-acl |
| 4 | smith | developer | hdfs dfs -ls /perm | Denied | Denied | ranger-acl |
| 5 | clark | datascientist | hdfs dfs -ls /perm | Allowed | Allowed | ranger-acl |
| 6 | clark | datascientist | hdfs dfs -mkdir /perm/dir3 | Allowed | Allowed | ranger-acl |
| 7 | mike | datascientist | hdfs dfs -mkdir /perm/dir4 | Depends | Denied | hadoop-acl |
| 8 | mike | datascientist | hdfs dfs -ls /perm | Depends | Allowed | hadoop-acl |
Details
Test_ID_1
As roger is a developer, Excluded from Deny condition and part of Allow condition so he is allowed to read the HDFS resource i.e., /perm
Test_ID_2
As roger is a developer, Excluded from Deny condition and part of Allow condition so he is allowed to write to HDFS resource i.e., /perm
Test_ID_3
As smith is a developer and not excluded from Deny condition so he is not allowed to write to HDFS resource i.e., /perm
Test_ID_4
As smith is a developer and not excluded from Deny condition so he is not allowed to read from HDFS resource i.e., /perm
Test_ID_5
As clark is a datascientist, part of Allow condition i.e., neither is part of Deny condition nor excluded from Allow condition, so he is allowed to read from HDFS resource i.e., /perm
Test_ID_6
As clark is a datascientist, part of Allow condition i.e., neither is part of Deny condition nor excluded from Allow condition, so he is allowed to write to HDFS resource i.e., /perm
Test_ID_7
As mike is a datascientist, Excluded from Allow condition for permissions WRITE and EXECUTE and there are no more Policies with Allow conditions, so decision will fallback to native Hadoop ACL which does not allow mike to write to HDFS resource i.e., /perm
Test_ID_8
As mike is a datascientist, part of Allow condition for permission READ but EXECUTE permission is excluded from Allow condition and there are no more allow conditions, so decision will fallback to native Hadoop ACL which allows mike to read from HDFS resource i.e., /perm
1 Comment
Madhan Neethiraj
This will help clarify one of the frequently asked questions. Thanks for putting this together. Couple of comments:
- the policy image is not visible. Consider uploading the image to the wiki and add the link to the uploaded image
- since deny/exceptions feature is introduced in ranger-0.6, please move this wiki to "0.6 Release"