Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Is it a problem if I deny ranger user itself from accessing resources via ranger policies?

Is it a problem if I deny ranger user itself from accessing resources via ranger policies?

Rising Star

Is it a problem if I deny ranger user itself from accessing resources via ranger policies? Trying to set a policy so that only a certain user user1 can access an HDFS resource, found that setting an allow condition was meaningless unless had also set a deny public condition for the policy. However, after doing this, found that the ranger user was actually trying to access this location (and getting denied because of the deny public condition): 110209-1565302180304.pngSo my questions are:

  1. Should I add an exclude-from-deny condition to the policy? Ie. is it a big deal that ranger gets denied? How could I tell?
  2. What is ranger doing here (all the audit tells me is that it was trying to access that path for something)?
  3. Is there a better way to allow hadoop service users that need to access all parts of the cluster (given that I can't anticipate which they are (perhaps there is HDP documentation out there detailing this))?
Don't have an account?
Coming from Hortonworks? Activate your account here