In Sandbox HDP 2.3.2 / Ambar 2.1.2, Ranger is enabled in HDFS out of the box. When I tried to get ACL on CLI, I got the error as follows:
[hdfs@sandbox ~]$ hdfs dfs -getfacl /user/hdfs
# file: /user/hdfs
# owner: hdfs
# group: hdfs
getfacl: The ACL operation has been rejected. Support for ACLs has been disabled by setting dfs.namenode.acls.enabled to false.
Is it recommended to disable default ACL? If it is enabled, will we see ACL set command generating Ranger policies?
I think there are some global policies created whenever we enable any Ranger plugin in Sandbox. This global policy by default blocks access to all. So for other policies to work or for it to fallback on the other authorization method, we need to disable this global policy.
Example : Like in this case, need to review if under HDFS Repo in Ranger, any global policy exists? If yes, need to disable it. In this case it will not fallback to HDFS ACLs if this global policy exists.