Support Questions

Find answers, ask questions, and share your expertise

Ranger policy does not grant access as expected


Seems there is no way to assign access to a directory with exact path. For example, a policy for RWX to /shared/int/ does not allow user to do -ls on that path but allows -ls to directories under it -- hdfs dfs -ls /shared/int/temp is working but hdfs dfs -ls /shared/int is blocked.


@Farzaneh Poorjabar

You need to enable the"Recursive" toggle for the policy to apply to child folders.


New Contributor

Eyad - Farzaneh's example has a slash at the end, and yours doesn't. If we don't use the slash, we find that the final folder name is wildcarded, meaning a rule for "/shared/int" would also apply to "/shared/interest". When we use the slash, however, we end up with the situation Farzaneh described. Just clarifying (I'm working with Farzaneh on this.)


The recursive option is turned on. We have tested with this option on and off.


Also, we have noticed by leaving out the ending "/" from the directory name behaves like a wildcard - even though we are not adding any * or ? - "/shared/int" and "/shared/int/" display different behavior.

Cloudera Employee

@Farzaneh Poorjabar

Easiest way to assign access only to a specific directory (say /home/farzaneh) is:

Resource path : /home/farzaneh

isRecursive: false

If you need the access granted recursively to a directory and all directories under it, then

Resource path : /home/farzaneh


But, there is a side-effect. Access will be granted to all paths starting with /home/farzaneh

There is no explicit way to specify in a ranger policy, if the specified resource is a file or a directory. That leads to these corner cases.

You could still get the effect you want by specifying two policies, one with resource as '/home/farzaneh/*', isRecursive = true and another with two resources ['/home/farzaneh', '/home/farzaneh/'] with isRecursive = false.