Before I explain policy details let me show you how I have created directory on hdfs.
d--------- - root hdfs 0 2016-09-02 06:47 /test-ranger ----->(no read/write/execute permission for any other 'ugo').
There is 'hr_user' to which I wants to provide only read access.
but when i login as hr_user on machine and try to access that directory it's giving me error
Error: Permission denied: user=hr_user, access=READ_EXECUTE, inode="/test-ranger":root:hdfs:d---------
even though i have given read access to this user.
please help me.policy-details.png
And one more thing,I am not getting access logs within ranger under Audit section.
please find attached policy details image.
can you please check policy refresh is happening properly, in addition to that please access audit logs which policy is denying the request , and whether it is denied due to ranger-acl or hadoop-acl
see , once you update the policy then you can check plugin audit logs whether you see 200 response there , or you can check name node whether policy refresh is happening , and please attach the updated policy screenshot too ,
and in access audit logs you can apply filter for hdfs operation then it will be easy to check the exact operation
As others have pointed out, you need READ + EXECUTE permission for directories. That is how directory permissions work. You can see in the error message that "READ_EXECUTE" is the permission that is attempted.
In regards to the access logs for Ranger, do you have Ranger audit logging to Solr enabled? If you do, is Solr running ok? The Ranger interface for showing access logs uses Solr. If you only have your logs written to HDFS, you won't see the access logs via the Ranger interface.
HI @Michael Young: just wanted to clarify, why do we need execute permission? I know this is how read permission should apply for directories but do you know the explanation behind this?
1. Can you make sure Test Connection for HDFS Ranger repository works fine ?
2. Check /var/log/ranger/admin/xa_portal.log for errors
3. Login to the node from where your trying to login as hr_user and check if the policy is sync on that node in below path -
#ls /etc/ranger/<clustername>_hadoop/policycache <-- make sure policy.json file exist here and also check if the policy you had given for user is reflected over here.
4. Finally check namenode logs also for error.