Support Questions
Find answers, ask questions, and share your expertise

if i am changing permissions on hdfs files from CLI and i am applying policies for the same file from Ranger Ui then which will take predence?hadoop ACL or Ranger Policies


Expert Contributor

Ranger Policies will take effect first. If the Ranger agents go down, then the HDFS ACL will take place.

No Its not.Hdfs acls are taking effect when i go and try to access a file from CLI

Expert Contributor

What happens is if hadoop acl allows access to a resource then that will take the priority. This behaviour can be switch off by setting the param xasecure.add-hadoop-authorization=false. Practice is to have hadoop acl more restrictive and control via Ranger. If Ranger is down, and ranger plugin is enabled, ranger authorizer will use the last known version of policy from the cache and authorize.

then if hadoop acls have all the effects then what is the use of ranger? and in real cluster we cannot turn the acl permissions to false.

Hi @khushi kalra

First, note that Ranger policies grant access only. For instance when you create a policy in ranger and you say I give read access to user "james" on directory "/tmp/", this only means that james can read from the folder but it doesn't mean that we prevent him from writing to the folder.

In terms of ordering, when you try to access a file, we check first with Ranger. If Ranger has a policy that says you have access, you will pass. If Ranger says nothing, then the HDFS permissions are used. This why the best practice is:

  • Restrict access in HDFS
  • Give the required autorisation in Ranger

I hope this helps

then if hadoop acls have all the effects then what is the use of ranger? and in real cluster we cannot turn the acl permissions to false.

Hi @khushi kalra

Ranger has 4 major roles in security:

  1. Administration: ranger gives you a central administration console for the whole cluster. Your question is on security, but Ranger can define control access for the other components like HBase, Hive, Kafka, etc.
  2. Authorization: enforce the access policy for the previously mentioned tools. Ranger is easier to use than using security tools of each component thanks to its Web UI
  3. Audit: Rangers stores all activities that users perform in each secured component. You can for instance search for all operations that a user have performed on a Hive table.
  4. KMS for HDFS encryption: Ranger provides a KMS server if you need HDFS encryption

Now if we speak particularly on control access for HDFS, when you use Ranger, you restrict access by default in HDFS and "open" access for users that you want in Ranger. This is easier in term of administration since you will use the Ranger Web UI rather than the shell commands. Also, it gives the option to have all you security policy (HDFS, Yarn, Hive, HBase, etc) implemented and enforced in the same tool.

Does this answer you question ?

so if i block a user from writing into a file from hadoop acl can i grant him permissions to write from ranger policy?

Yes you can