Description
Steps to reproduce the issue:
Step 1
======
Create a new HDFS policy in Ranger.
Policy Details:
- Policy Name: testcase
- Resource Path: /testcase
Allow Conditions:
- Select User: testuser
- Enabled: yes
- Recursive: yes
- Audit Logging: yes
- Permissions: Read, Write, Execute
Make a note of the Policy ID of the new policy. In my case, it was Policy ID 1976.
Note that "testuser" should be a non-privileged account. On my cluster I'm using "testuser", but you may choose something different.
Step 2
======
Run the following commands whilst authenticated as the "hdfs" superuser:
$ hdfs dfs -mkdir -p /testcase/dir1
$ hdfs dfsadmin -allowSnapshot /testcase
$ hdfs dfs -createSnapshot /testcase s1
Step 3
======
Run the following commands whilst authenticated as the "testuser" user:
$ hdfs dfs -ls /testcase
$ hdfs dfs -ls /testcase/dir1
$ hdfs dfs -ls /testcase/.snapshot/s1
NOTE: you might get a permission denied error when you run "hdfs dfs -ls /testcase/.snapshot/s1". For the purposes of this test case, it does not matter whether the command succeeds
Step 4
======
Review the Ranger audit log for the 3 commands you just ran to notice the following:
- The policy id in first command (hdfs dfs -ls /testcase) is the policy id of the policy created in step 1, e.g. 1976
- The policy id in second command (hdfs dfs -ls /testcase/dir1) is the policy id for the policy created in step 1, e.g. 1976
- The policy id in the third command (hdfs dfs -ls /testcase/.snapshot/s1) is "-1", e.g. Ranger did not find a matching policy
Therefore, Ranger HDFS policy is not evaluated for HDFS snapshots.