question User can still see / read on paths that it does not own in Archives of Support Questions (Read Only) https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-still-see-read-on-paths-that-it-does-not-own/m-p/116138#M46958 <P>I have set a Ranger policy enabling a certain newuser to read/write/execute only on his own home directory in HDFS, say /user/&lt;newuser&gt;. While the policy certainly works on his own path, however, I do not want newuser to be able to read directories and files outside its own, which still happens when I do:</P><PRE>hadoop fs -ls /</PRE><P>Or on some other directories. Same thing happens when newuser is logged in in Hue.</P><P>How do I do this in Ranger?</P> Tue, 22 Nov 2016 18:27:43 GMT menorah84 2016-11-22T18:27:43Z User can still see / read on paths that it does not own https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-still-see-read-on-paths-that-it-does-not-own/m-p/116138#M46958 <P>I have set a Ranger policy enabling a certain newuser to read/write/execute only on his own home directory in HDFS, say /user/&lt;newuser&gt;. While the policy certainly works on his own path, however, I do not want newuser to be able to read directories and files outside its own, which still happens when I do:</P><PRE>hadoop fs -ls /</PRE><P>Or on some other directories. Same thing happens when newuser is logged in in Hue.</P><P>How do I do this in Ranger?</P> Tue, 22 Nov 2016 18:27:43 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-still-see-read-on-paths-that-it-does-not-own/m-p/116138#M46958 menorah84 2016-11-22T18:27:43Z Re: User can still see / read on paths that it does not own https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-still-see-read-on-paths-that-it-does-not-own/m-p/116139#M46959 <P>that is because HDFS posix permission is there on base dir , so make that is 000 </P> Tue, 22 Nov 2016 18:29:45 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-still-see-read-on-paths-that-it-does-not-own/m-p/116139#M46959 dsharma 2016-11-22T18:29:45Z Re: User can still see / read on paths that it does not own https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-still-see-read-on-paths-that-it-does-not-own/m-p/116140#M46960 <P>Hi <A rel="user" href="https://community.cloudera.com/users/1651/menorah84.html" nodeid="1651">@J. D. Bacolod</A> - please see this article I wrote a while ago which explains how Ranger works: <A href="https://community.hortonworks.com/content/kbentry/49177/how-do-ranger-policies-work-in-relation-to-hdfs-po.html" target="_blank">https://community.hortonworks.com/content/kbentry/49177/how-do-ranger-policies-work-in-relation-to-hdfs-po.html</A></P><P>From HDP 2.5, there is also the potential to Deny access explicitly via a Deny policy. See this article on how to enable them: <A href="https://community.hortonworks.com/content/kbentry/61208/how-to-enable-deny-conditions-and-excludes-in-rang.html" target="_blank">https://community.hortonworks.com/content/kbentry/61208/how-to-enable-deny-conditions-and-excludes-in-rang.html</A></P><P>Hope this helps!</P> Tue, 22 Nov 2016 18:32:51 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/User-can-still-see-read-on-paths-that-it-does-not-own/m-p/116140#M46960 agillan 2016-11-22T18:32:51Z