https://community.cloudera.com/t5/Support-Questions/Hadoop-backup-with-distcp-org-apache-hadoop-security/m-p/304070#M221867 <P>Thank you for your answers, but we have been doing som digging and it looks like the operation with distcp bypass the Ranger policy and use HDFS ACL instead.</P><P>&nbsp;</P><P>We have a Ranger allow policy that says that the user XXXXX can read and execute&nbsp; in /* . But in the audit log we get an EXECUTE access denied to:</P><P>/databank</P><P>Access enforcer:hadoop-acl</P><P>&nbsp;</P><P>and a READ access denied to:</P><P><SPAN>/databank/.snapshot/databank_201...</SPAN></P><P><SPAN>Access enforcer: hadoop-acl</SPAN></P><P>&nbsp;</P><P><SPAN>Moreover, we have a directory where the backup succeed because it has POSIX permissions read and execute for others and other with rwx permissions for the owner only that fail equally.</SPAN></P><P>But should it not Ranger Policy apply and override the HDFS POSIX permissions? It looks like that what happens is the opposite, HDFS permissions override Ranger policy.</P><P>Brgds, Paz</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 08 Oct 2020 11:48:34 GMT pazufst 2020-10-08T11:48:34Z