Is it a problem if I deny ranger user itself from accessing resources via ranger policies? Trying to set a policy so that only a certain user user1 can access an HDFS resource, found that setting an allow condition was meaningless unless had also set a deny public condition for the policy. However, after doing this, found that the ranger user was actually trying to access this location (and getting denied because of the deny public condition): So my questions are:
Should I add an exclude-from-deny condition to the policy? Ie. is it a big deal that ranger gets denied? How could I tell?
What is ranger doing here (all the audit tells me is that it was trying to access that path for something)?
Is there a better way to allow hadoop service users that need to access all parts of the cluster (given that I can't anticipate which they are (perhaps there is HDP documentation out there detailing this))?