Created 04-29-2016 07:25 PM
What happens is if hadoop acl allows access to a resource then that will take the priority. This behaviour can be switch off by setting the param xasecure.add-hadoop-authorization=false. Practice is to have hadoop acl more restrictive and control via Ranger. If Ranger is down, and ranger plugin is enabled, ranger authorizer will use the last known version of policy from the cache and authorize.
First, note that Ranger policies grant access only. For instance when you create a policy in ranger and you say I give read access to user "james" on directory "/tmp/", this only means that james can read from the folder but it doesn't mean that we prevent him from writing to the folder.
In terms of ordering, when you try to access a file, we check first with Ranger. If Ranger has a policy that says you have access, you will pass. If Ranger says nothing, then the HDFS permissions are used. This why the best practice is:
I hope this helps
Ranger has 4 major roles in security:
Now if we speak particularly on control access for HDFS, when you use Ranger, you restrict access by default in HDFS and "open" access for users that you want in Ranger. This is easier in term of administration since you will use the Ranger Web UI rather than the shell commands. Also, it gives the option to have all you security policy (HDFS, Yarn, Hive, HBase, etc) implemented and enforced in the same tool.
Does this answer you question ?