Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

User can still see / read on paths that it does not own

Solved Go to solution
Highlighted

User can still see / read on paths that it does not own

Contributor

I have set a Ranger policy enabling a certain newuser to read/write/execute only on his own home directory in HDFS, say /user/<newuser>. While the policy certainly works on his own path, however, I do not want newuser to be able to read directories and files outside its own, which still happens when I do:

hadoop fs -ls /

Or on some other directories. Same thing happens when newuser is logged in in Hue.

How do I do this in Ranger?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: User can still see / read on paths that it does not own

Hi @J. D. Bacolod - please see this article I wrote a while ago which explains how Ranger works: https://community.hortonworks.com/content/kbentry/49177/how-do-ranger-policies-work-in-relation-to-h...

From HDP 2.5, there is also the potential to Deny access explicitly via a Deny policy. See this article on how to enable them: https://community.hortonworks.com/content/kbentry/61208/how-to-enable-deny-conditions-and-excludes-i...

Hope this helps!

View solution in original post

2 REPLIES 2
Highlighted

Re: User can still see / read on paths that it does not own

that is because HDFS posix permission is there on base dir , so make that is 000

Re: User can still see / read on paths that it does not own

Hi @J. D. Bacolod - please see this article I wrote a while ago which explains how Ranger works: https://community.hortonworks.com/content/kbentry/49177/how-do-ranger-policies-work-in-relation-to-h...

From HDP 2.5, there is also the potential to Deny access explicitly via a Deny policy. See this article on how to enable them: https://community.hortonworks.com/content/kbentry/61208/how-to-enable-deny-conditions-and-excludes-i...

Hope this helps!

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here