Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Ranger policy does not grant access as expected

Labels:
avatar
author-rank poorjabarf
Explorer

Created ‎05-18-2017 06:02 PM

Seems there is no way to assign access to a directory with exact path. For example, a policy for RWX to /shared/int/ does not allow user to do -ls on that path but allows -ls to directories under it -- hdfs dfs -ls /shared/int/temp is working but hdfs dfs -ls /shared/int is blocked.

3,254 Views
0 Kudos
5 REPLIES 5

avatar
author-rank egarelnabi
Guru

Created on ‎05-18-2017 06:08 PM - edited ‎08-18-2019 02:31 AM

@Farzaneh Poorjabar

You need to enable the"Recursive" toggle for the policy to apply to child folders.

15568-hdfs-view-policy.png

2,879 Views
0 Kudos

avatar
author-rank hanantj
New Contributor

Created ‎05-18-2017 08:56 PM

Eyad - Farzaneh's example has a slash at the end, and yours doesn't. If we don't use the slash, we find that the final folder name is wildcarded, meaning a rule for "/shared/int" would also apply to "/shared/interest". When we use the slash, however, we end up with the situation Farzaneh described. Just clarifying (I'm working with Farzaneh on this.)

2,879 Views
0 Kudos

avatar
author-rank poorjabarf
Explorer

Created ‎05-18-2017 07:29 PM

The recursive option is turned on. We have tested with this option on and off.

2,879 Views
0 Kudos

avatar
author-rank poorjabarf
Explorer

Created ‎05-18-2017 07:35 PM

Also, we have noticed by leaving out the ending "/" from the directory name behaves like a wildcard - even though we are not adding any * or ? - "/shared/int" and "/shared/int/" display different behavior.

2,879 Views
0 Kudos

avatar
author-rank akulkarni1 author-rank
Contributor

Created ‎05-19-2017 06:32 PM

@Farzaneh Poorjabar

Easiest way to assign access only to a specific directory (say /home/farzaneh) is:

Resource path : /home/farzaneh

isRecursive: false

If you need the access granted recursively to a directory and all directories under it, then

Resource path : /home/farzaneh

isRecursive:true

But, there is a side-effect. Access will be granted to all paths starting with /home/farzaneh

There is no explicit way to specify in a ranger policy, if the specified resource is a file or a directory. That leads to these corner cases.

You could still get the effect you want by specifying two policies, one with resource as '/home/farzaneh/*', isRecursive = true and another with two resources ['/home/farzaneh', '/home/farzaneh/'] with isRecursive = false.

2,879 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements