Updated on 2022-12-08 GMT+08:00

Permission Verification Policies

Security Mode

After a user is authenticated by the big data platform, the system determines whether to verify the user's permission based on the actual permission management configuration to ensure that the user has limited or all permission on resources. If the user does not have sufficient permission, the user can access resources only after the MRS cluster administrator grant related permission on each component to the user. The cluster provides permission verification capabilities in both Security Mode and Normal Mode. Permission on components is the same in the two modes.

By default, the Ranger service is installed and Ranger authentication is enabled for a newly installed cluster in security mode. You can set fine-grained security access policies for accessing component resources through the permission plug-in of the component. If Ranger authentication is not required, you can manually disable Ranger authentication on the service page. After Ranger authentication is disabled, the system continues to perform permission control based on the role model of FusionInsight Manager when accessing component resources.

In a cluster in security mode, the following components support Ranger authentication: HDFS, Yarn, Kafka, Hive, HBase, Storm, Spark2x, Impala.

In a cluster upgraded from an earlier version, Ranger authentication is not used by default when users access component resources. The administrator can manually enable Ranger authentication after installing the Ranger service.

By default, all components in the cluster in Security Mode perform permission verification on access in a unified manner, and the permission verification function cannot be disabled.

Normal Mode

Different components in the cluster in Normal Mode use different open-source permission verification behavior. Table 1 lists detailed permission verification mechanisms.

In a cluster in non-security mode, the Ranger supports permission control on component resources based on OS users. The following components support Ranger authentication: HBase, HDFS, Hive, Spark2x, and Yarn.

Table 1 Component permission verification modes in Normal Mode

Service

Permission Verification

Permission Verification Enabling and Disabling

ClickHouse

Required

Not supported

Flume

Not required

Not supported

HBase

Not required

Supported

HDFS

Required

Supported

Hive

Not required

Not supported

Hue

Not required

Not supported

Kafka

Not required

Not supported

Loader

Not required

Not supported

Mapreduce

Not required

Not supported

Oozie

Required

Not supported

Spark2x

Not required

Not supported

Storm

Not required

Not supported

Yarn

Not required

Supported

ZooKeeper

Required

Supported

Condition Priorities of the Ranger Permission Policy

When configuring a permission policy for a resource, you can configure Allow Conditions, Exclude from Allow Conditions, Deny Conditions, and Exclude from Deny Conditions for the resource, to meet unexpected requirements in different scenarios.

The priorities of different conditions are listed in descending order: Exclude from Deny Conditions > Deny Conditions > Exclude from Allow Conditions > Allow Conditions

The following figure shows the process of determining condition priorities. If the component resource request does not match the permission policy in Ranger, the system rejects the access by default. However, for HDFS and Yarn, the system delivers the decision to the access control layer of the component for determination.

For example, if you want to grant the read and write permissions of the FileA folder to the groupA user group, but the user in the group is not UserA, you can add an allowed condition and an exception condition.