Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger policy does not grant access as expected

avatar
Explorer

Seems there is no way to assign access to a directory with exact path. For example, a policy for RWX to /shared/int/ does not allow user to do -ls on that path but allows -ls to directories under it -- hdfs dfs -ls /shared/int/temp is working but hdfs dfs -ls /shared/int is blocked.

5 REPLIES 5

avatar

@Farzaneh Poorjabar

You need to enable the"Recursive" toggle for the policy to apply to child folders.

15568-hdfs-view-policy.png

avatar
New Contributor

Eyad - Farzaneh's example has a slash at the end, and yours doesn't. If we don't use the slash, we find that the final folder name is wildcarded, meaning a rule for "/shared/int" would also apply to "/shared/interest". When we use the slash, however, we end up with the situation Farzaneh described. Just clarifying (I'm working with Farzaneh on this.)

avatar
Explorer

The recursive option is turned on. We have tested with this option on and off.

avatar
Explorer

Also, we have noticed by leaving out the ending "/" from the directory name behaves like a wildcard - even though we are not adding any * or ? - "/shared/int" and "/shared/int/" display different behavior.

avatar
Contributor

@Farzaneh Poorjabar

Easiest way to assign access only to a specific directory (say /home/farzaneh) is:

Resource path : /home/farzaneh

isRecursive: false

If you need the access granted recursively to a directory and all directories under it, then

Resource path : /home/farzaneh

isRecursive:true

But, there is a side-effect. Access will be granted to all paths starting with /home/farzaneh

There is no explicit way to specify in a ranger policy, if the specified resource is a file or a directory. That leads to these corner cases.

You could still get the effect you want by specifying two policies, one with resource as '/home/farzaneh/*', isRecursive = true and another with two resources ['/home/farzaneh', '/home/farzaneh/'] with isRecursive = false.