I am trying to understand Ranger and its role in HDP. I found the below statement mentioned in Ranger documentation.
For an effective management of the policies via Ranger, we recommand that permissions be created at the Ranger Policy Manager, and to have very restrictive permissions at the HDFS level.
Ranger is a plugin based authorization model. That means that each of the projects that supports Ranger has a "plugin" that interfaces with the Ranger policy engine to provide an interface from the policies administered by Ranger to the authorization APIs for each component. The Ranger policy permissions will override the HDFS file permissions, but work in conjunction with HDFS ACLs (as the plugin provides an interface between the HDFS ACLs and the Ranger policies). What the statement you referred to means is that you should set permissions in HDFS to the most restrictive possible (e.g. hdfs dfs -chmod 600 <file>) and then assign permissions via Ranger. HDFS will look to Ranger for a policy allowing or denying the user access to the file and use that policy to determine authorization.
The plugins for the other components work similarly, however, you will most likely want to manage all of the authorization with Ranger since it provides a single pane of glass to manage the various authorization APIs for each component.
The phrase of the documentation means that at HDFS level, you go as restrictive as possible. You can change the default mask to 022 or 077 based on your cluster requirements. Give rw default permission only to the owner. For every directory existing on HDFS, or which you plan to use, define a policy in Ranger so access is controlled and everything is through Ranger.