Permission Verification Policies
Security Mode
After a user is authenticated by the big data platform, the system determines whether to verify the user's permission based on the actual permission management configuration to ensure that the user has limited or all permission on resources. If the user does not have sufficient permission, the user can access resources only after the MRS cluster administrator grant related permission on each component to the user. The cluster provides permission verification capabilities in both Security Mode and Normal Mode. Permission on components is the same in the two modes.
By default, the Ranger service is installed and Ranger authentication is enabled for a newly installed cluster in security mode. You can set fine-grained security access policies for accessing component resources through the permission plug-in of the component. If Ranger authentication is not required, you can manually disable Ranger authentication on the service page. After Ranger authentication is disabled, the system continues to perform permission control based on the role model of FusionInsight Manager when accessing component resources.
In a cluster in security mode, the following components support Ranger authentication: HDFS, Yarn, Kafka, Hive, HBase, Storm, Spark2x, Impala.
In a cluster upgraded from an earlier version, Ranger authentication is not used by default when users access component resources. The administrator can manually enable Ranger authentication after installing the Ranger service.
By default, all components in the cluster in Security Mode perform permission verification on access in a unified manner, and the permission verification function cannot be disabled.
Normal Mode
Different components in the cluster in Normal Mode use different open-source permission verification behavior. Table 1 lists detailed permission verification mechanisms.
In a cluster in non-security mode, the Ranger supports permission control on component resources based on OS users. The following components support Ranger authentication: HBase, HDFS, Hive, Spark2x, and Yarn.
Service |
Permission Verification |
Permission Verification Enabling and Disabling |
---|---|---|
ClickHouse |
Required |
Not supported |
Flume |
Not required |
Not supported |
HBase |
Not required |
Supported |
HDFS |
Required |
Supported |
Hive |
Not required |
Not supported |
Hue |
Not required |
Not supported |
Kafka |
Not required |
Not supported |
Loader |
Not required |
Not supported |
Mapreduce |
Not required |
Not supported |
Oozie |
Required |
Not supported |
Spark2x |
Not required |
Not supported |
Storm |
Not required |
Not supported |
Yarn |
Not required |
Supported |
ZooKeeper |
Required |
Supported |
Condition Priorities of the Ranger Permission Policy
When configuring a permission policy for a resource, you can configure Allow Conditions, Exclude from Allow Conditions, Deny Conditions, and Exclude from Deny Conditions for the resource, to meet unexpected requirements in different scenarios.
The priorities of different conditions are listed in descending order: Exclude from Deny Conditions > Deny Conditions > Exclude from Allow Conditions > Allow Conditions
The following figure shows the process of determining condition priorities. If the component resource request does not match the permission policy in Ranger, the system rejects the access by default. However, for HDFS and Yarn, the system delivers the decision to the access control layer of the component for determination.
For example, if you want to grant the read and write permissions of the FileA folder to the groupA user group, but the user in the group is not UserA, you can add an allowed condition and an exception condition.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot