This is a common point of confusion, so I did some tests which I hope will clarify.
TEST 1:
Setup:
1. Create a user directory /user/myuser with 777 permissions in HDFS
2. Make a policy in ranger that allows user mktg1 only read access to /user/myuser
Result:
1. It always allows mktg1 to write
2. Ranger Audit says "Access Enforcer" is hadoop-acl
This is expected behaviour
EXPLANATION:
The way a Ranger policy normally works is it searches until it either runs out of options, or it allows access. So, in this case, it first checks the Ranger policy, sees it can't write, then checks HDFS permissions, sees it CAN write and then allows the write.
In order to avoid this situation, you must totally lock down filesystem permissions. That is something like chmod 700. Then you can administer access via Ranger policies.
Ranger policies can only allow access; if nothing allows access (including by default HDFS permissions) then it will deny.
TEST 2:
Setup:
1. Create a user directory /user/myuser with 000 permissions in HDFS
2. Make a policy in ranger that allows user mktg1 read+execute access to /user/myuser
Result:
1. As the user it1:
[it1@sandbox conf]$ hadoop fs -ls /user/myuser
ls: Permission denied: user=it1, access=READ_EXECUTE, inode="/user/myuser":hdfs:hdfs:d---------
2. As the user mktg1:
[mktg1@sandbox conf]$ hadoop fs -ls /user/myuser
Found 10 items
-rw-r--r-- 1 root hdfs 529 2015-06-24 12:30 /user/myuser/test.csv
“Access Enforcer” is xasecure-acl in the Ranger Audit UI
3. As the user mktg1:
[mktg1@sandbox ~]$ hdfs dfs -put test.txt /user/myuser
put: Permission denied: user=mktg1, access=WRITE, inode="/user/myuser":hdfs:hdfs:d---------
File system permissions mean that no one is allowed to access the directory, but the Ranger policy allows mktg1 to read it, but not write.
