Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger policy does not grant access as expected

Ranger policy does not grant access as expected

New Contributor

Seems there is no way to assign access to a directory with exact path. For example, a policy for RWX to /shared/int/ does not allow user to do -ls on that path but allows -ls to directories under it -- hdfs dfs -ls /shared/int/temp is working but hdfs dfs -ls /shared/int is blocked.

5 REPLIES 5

Re: Ranger policy does not grant access as expected

@Farzaneh Poorjabar

You need to enable the"Recursive" toggle for the policy to apply to child folders.

15568-hdfs-view-policy.png

Re: Ranger policy does not grant access as expected

New Contributor

Eyad - Farzaneh's example has a slash at the end, and yours doesn't. If we don't use the slash, we find that the final folder name is wildcarded, meaning a rule for "/shared/int" would also apply to "/shared/interest". When we use the slash, however, we end up with the situation Farzaneh described. Just clarifying (I'm working with Farzaneh on this.)

Highlighted

Re: Ranger policy does not grant access as expected

New Contributor

The recursive option is turned on. We have tested with this option on and off.

Re: Ranger policy does not grant access as expected

New Contributor

Also, we have noticed by leaving out the ending "/" from the directory name behaves like a wildcard - even though we are not adding any * or ? - "/shared/int" and "/shared/int/" display different behavior.

Re: Ranger policy does not grant access as expected

New Contributor

@Farzaneh Poorjabar

Easiest way to assign access only to a specific directory (say /home/farzaneh) is:

Resource path : /home/farzaneh

isRecursive: false

If you need the access granted recursively to a directory and all directories under it, then

Resource path : /home/farzaneh

isRecursive:true

But, there is a side-effect. Access will be granted to all paths starting with /home/farzaneh

There is no explicit way to specify in a ranger policy, if the specified resource is a file or a directory. That leads to these corner cases.

You could still get the effect you want by specifying two policies, one with resource as '/home/farzaneh/*', isRecursive = true and another with two resources ['/home/farzaneh', '/home/farzaneh/'] with isRecursive = false.

Don't have an account?
Coming from Hortonworks? Activate your account here