hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bo...@apache.org>
Subject Re: allow all users to decrypt?
Date Thu, 10 Nov 2016 05:22:24 GMT
Hi Ben

 

> Alternatively, is there any way to add the user DOMAIN\build to ranger?

Ranger uses the same username that is used by HDFS. And that will depend on how your core-site.xml
is configured or how the users are materialized on the linux boxes. You can check the Ranger
Audits to see what is the username logged corresponding to “DOMAIN\build”. This is what
HDFS passes to Ranger. Generally, it is unix OS friendly name, which you can manually add
via Ranger UI.

 

> Ideally I would like all users to be able to encrypt and decrypt data from hdfs

This is pretty straight forward in Ranger. You can create a new policy with “*” (all resources)
and give the “decrypteek” permission to special group “public”. This will allow all
users to decrypt the EEK and use it on the files which they have read permission.

 

Bosco

 

 

From: Benjamin Ross <bross@Lattice-Engines.com>
Reply-To: <user@ranger.incubator.apache.org>
Date: Tuesday, November 8, 2016 at 5:44 AM
To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Cc: "user@hadoop.apache.org" <user@hadoop.apache.org>
Subject: allow all users to decrypt?

 

All, 

I'm in the process of configuring our system for hadoop encryption.  We're nearly complete
- one of the last issues is that we have a build user that needs to decrypt data to read it
from hdfs.  The issue is that the build user is an Active Directory user, so the username
is DOMAIN\build, rather than just build.  I can't add this username to ranger because the
ranger UI doesn't allow adding the \ character.

 

Ideally I would like all users to be able to encrypt and decrypt data from hdfs.  It just
would make our lives a lot easier - it's explicitly what we want.

 

Is there any way to do this?  Alternatively, is there any way to add the user DOMAIN\build
to ranger?

 

Worst case scenario, I can just modify the test to set HADOOP_USER_NAME to be build, but I'd
prefer not to do that.

 

Thanks in advance,

Ben

 

This message has been scanned for malware by Websense. www.websense.com


Mime
View raw message