I have a ranger policy for a HDFS resource that looks like... Now trying to access that HDFS path via hadoop fs <path to the hdfs location> as two different users:

# as an unauthorized user
[ml1@HW04 ml1c]$ hadoop fs -ls <path to the hdfs location>
ls: Permission denied: user=ml1, access=EXECUTE, inode="<path to the hdfs location>"

# as an authorized user
[hph_etl@HW04 hph_etl]$ hadoop fs -ls <path to the hdfs location>
Found 4 items 
drwxrwxr-x   - hph_etl hph_etl          0 2019-07-31 15:13 <path to the hdfs location>
drwxrwxr-x   - hph_etl hph_etl          0 2019-08-07 10:52 <path to the hdfs location>
drwxrwxr-x   - hph_etl hph_etl          0 2019-07-31 14:28 <path to the hdfs location>
drwxrwxr-x   - hph_etl hph_etl          0 2019-07-26 16:12 <path to the hdfs location>

which works as expected. Now trying via ls -lh <nfs path to the hdfs location> on the local file system:

# as an unauthorized user
[ml1@HW04 ml1c]$ ls -lh <nfs path to the hdfs location>
total 2.0K
drwxrwxr-x. 4 hph_etl hph_etl 128 Jul 31 15:13 export 
drwxrwxr-x. 5 hph_etl hph_etl 160 Aug  7 10:52 import 
drwxrwxr-x. 5 hph_etl hph_etl 160 Jul 31 14:28 storage 
drwxrwxr-x. 3 hph_etl hph_etl  96 Jul 26 16:12 tests 
# as an authorized user
[hph_etl@HW04 hph_etl]$ ls -lh <nfs path to the hdfs location>
total 2.0K
drwxrwxr-x. 4 hph_etl hph_etl 128 Jul 31 15:13 export 
drwxrwxr-x. 5 hph_etl hph_etl 160 Aug  7 10:52 import 
drwxrwxr-x. 5 hph_etl hph_etl 160 Jul 31 14:28 storage 
drwxrwxr-x. 3 hph_etl hph_etl  96 Jul 26 16:12 tests

we see both users were able to access the HDFS location when doing so via NFS (even though only the hph_etl user should have been able to). Anyone know what's going on here? Any debugging tips or fixes?