Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger policies on HDFS (READ/WRITE/EXECUTE)

Ranger policies on HDFS (READ/WRITE/EXECUTE)

New Contributor

Hi,

With a regular filesystem, if I create a directory '/data/dir1/dir2/', a user without the 'execute' permission on '/data/dir1' is denied access to '/data/dir1/dir2/' even if he's granted access to '/data/dir1/dir2/' itself, i.e. he has not the right to traverse the tree.

But not with Ranger. If my filesystem permissions are set to '000' for all the directories and I have a policy granting access to '/data/dir1/dir2/' to my user, this user should not be able to see '/data/dir1/dir2/' since he has no access to '/data/dir1/'. But he can!

1. Is this the expected behavior?

2. If so, what is the meaning of the 'execute' permission in Ranger?

3. How to get my expected behavior?

Thanks!

EDITED

All the directories have their permissions set to '000' in my filesystem, so without Ranger, no user has access to any of them. Then I create a policy in Ranger for '/dir1/dir2/' with 'rwx' permissions for user A. User A has now access to this directory, contrary to what I was expecting. Because since there is no policy with the 'execute' permission for '/dir1/', I was expecting that user A couldn't access '/dir1/dir2' (because on a regular filesystem, one need to traverse all the hierarchy of directories and so to have the 'execute' permission on all the parents).

2 REPLIES 2
Highlighted

Re: Ranger policies on HDFS (READ/WRITE/EXECUTE)

New Contributor

Yes, Ranger policies trump HDFS ACL.

2. If you allow access to /data/dir1/dir2, then the user will have access to /data/dir1/dir2 (HDFS ACL is not checked because Ranger permissions prevail)

3. Deny your user access to /data/dir1/dir2 in Ranger. Or, don't have a policy for this directory (this way HDFS ACL is invoked).

Re: Ranger policies on HDFS (READ/WRITE/EXECUTE)

New Contributor

Thank you for answering. I wasn't clear enough, sorry. I edited my question.