When Ranger Authentication Is Enabled, Why Can a User Still Perform Operations on the Tasks Created by Itself After All Permissions of the User Are Deleted?

Symptom

In scenarios where Ranger authentication is enabled, after all permissions of a user are canceled, the user can still perform operations on the tasks created by itself. Example:

1. On the Ranger web UI, cancel all permissions of user admintest.

   

2. After logging in to the CDL web UI as user admintest, the user can still perform operations on the tasks created by itself on the Job Management page.

   

Possible Causes

The {OWNER} permission is not deleted from the Ranger policy.

Procedure

1. Log in to FusionInsight Manager as user admin and choose Cluster > Services > Ranger. On the page that is displayed, click the hyperlink next to RangerAdmin UI to access the Ranger web UI.
2. On the Ranger web UI, click the username in the upper right corner, and choose Log Out to log out of the current user. Log in again as user rangeradmin.
3. On the home page, click the component plug-in name in the CDL area, for example, CDL.

   

4. Click in the Action column of each policy, delete user {OWNER} in the Select User column in the Allow Conditions area, and click Save.
5. After 10 minutes, log in to the CDL web UI as the user whose {OWNER} permission has been deleted and attempt to perform operations on the jobs created by the user. It is found that the user does not have the permission to perform related operations.