Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Ranger policies on HDFS (READ/WRITE/EXECUTE)

Labels:
avatar
author-rank c_inconnu1
New Member

Created ‎04-09-2018 09:59 AM

Hi,

With a regular filesystem, if I create a directory '/data/dir1/dir2/', a user without the 'execute' permission on '/data/dir1' is denied access to '/data/dir1/dir2/' even if he's granted access to '/data/dir1/dir2/' itself, i.e. he has not the right to traverse the tree.

But not with Ranger. If my filesystem permissions are set to '000' for all the directories and I have a policy granting access to '/data/dir1/dir2/' to my user, this user should not be able to see '/data/dir1/dir2/' since he has no access to '/data/dir1/'. But he can!

1. Is this the expected behavior?

2. If so, what is the meaning of the 'execute' permission in Ranger?

3. How to get my expected behavior?

Thanks!

EDITED

All the directories have their permissions set to '000' in my filesystem, so without Ranger, no user has access to any of them. Then I create a policy in Ranger for '/dir1/dir2/' with 'rwx' permissions for user A. User A has now access to this directory, contrary to what I was expecting. Because since there is no policy with the 'execute' permission for '/dir1/', I was expecting that user A couldn't access '/dir1/dir2' (because on a regular filesystem, one need to traverse all the hierarchy of directories and so to have the 'execute' permission on all the parents).

3,069 Views
0 Kudos
4 REPLIES 4

avatar
author-rank hadoop2
New Member

Created ‎04-10-2018 08:26 PM

Yes, Ranger policies trump HDFS ACL.

2. If you allow access to /data/dir1/dir2, then the user will have access to /data/dir1/dir2 (HDFS ACL is not checked because Ranger permissions prevail)

3. Deny your user access to /data/dir1/dir2 in Ranger. Or, don't have a policy for this directory (this way HDFS ACL is invoked).

2,820 Views
0 Kudos

avatar
author-rank c_inconnu1
New Member

Created ‎04-10-2018 09:03 PM

Thank you for answering. I wasn't clear enough, sorry. I edited my question.

2,820 Views
0 Kudos

avatar
author-rank thomasLeecooper
New Member

Created ‎02-23-2025 08:06 AM

Dear hadoop2:

I want create external iceberg table with hive metastore mange metadata layer and data file are stored at hdfs.

If I grant hdfs ACL for group user A is 000 (not permission to read directly) but I grant permission on ranger for group user A can use spark to read iceberg table on column A, B  and masking column C. From my approach, does that avoid user read data file directly from hdfs by using spark and just read masking information at column C? Thank you!

407 Views
0 Kudos

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎02-24-2025 08:16 PM

@thomasLeecooper As this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post. Thanks.

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
392 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Operational Database supports Security-Enhanced Lin...
What's New @ Cloudera
Cloudera Operational Database supports creating AWS Graviton...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.15 for Cloudera 7....
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
View More Announcements