Kunal created RANGER-5193: ----------------------------- Summary: Execute permission on HDFS folder in HDFS Ranger policy does not behave the same as HDFS POSIX permissions Key: RANGER-5193 URL: https://issues.apache.org/jira/browse/RANGER-5193 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Kunal
If the resource path(hdfs directory) is not managed via Ranger only execute permission is enough to traverse the directory Whereas, if the resource path(hdfs directory) is managed via Ranger with denyAllElse set to TRUE , user needs both Read and Execute permissions to be given on the directory in Ranger to be able to read a sub-directory which has full permissions for the user Steps to re-produce: 1. Create a folder called test-db under /tmp and assign 751 permissions where everybody has just the "execute" permissions [hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db [hdfs@hostname ~]$ hdfs dfs -chmod 751 /tmp/test-db [hdfs@hostname ~]$ hdfs dfs -ls -d /tmp/test-db drwxr-x--x - hdfs hdfs 0 2025-04-07 09:54 /tmp/test-db 2. As HDFS user create a sub-folder t1 under test-db and give complete access only to your ID (kunal) [hdfs@hostname ~]$ hdfs dfs -mkdir /tmp/test-db/t1 3. Added some files under t1 : /tmp/test-db/t1 [hdfs@hostname ~]$ hdfs dfs -put /etc/hosts /tmp/test-db/t1 [hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1 -rw-r--r-- 3 hdfs hdfs 211 2025-04-15 10:46 /tmp/test-db/t1/hosts 4. Change ownership of all files and folder of t1 to your user (kunal) and give only your user the permission (700) [hdfs@hostname ~]$ hdfs dfs -chown -R kunal /tmp/test-db/t1 [hdfs@hostname ~]$ hdfs dfs -chmod -R 700 /tmp/test-db/t1 [hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db Found 1 items drwx------ - kunal hdfs 0 2025-04-07 10:31 /tmp/test-db/t1 [hdfs@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1 Found 1 items -rwx------ 3 kunal hdfs 211 2025-04-15 10:46 /tmp/test-db/t1/hosts 5. Login as your ID and try to list the test-db/t1 folder [kunal@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1 Found 1 items -rwx------ 3 krajguru hdfs 211 2025-04-15 10:46 /tmp/test-db/t1/hosts Conclusion: So , when we have no Ranger policy created on parent path (/tmp/test-db) and execute permissions are given to everybody (751) on /tmp/test-db , as kunal user I'm able to list the files under t1 folder and read the contents on hosts file under /tmp/test-db/t1/hosts file But when I create a HDFS Ranger policy on /tmp/test-db location with "DenyAllElse" flag set to TRUE and provide kunal user only execute permission, and another policy on its sub directory (t1) -- /tmp/test-db/t1 with kunal user full permissions (read, write , execute) , to even list the files under folder t1 (/tmp/test-db/t1) , it expects kunal to have "read and execute" permissions on parent directory (/tmp/test-db) Just execute permission on parent directory must be fine similar to HDFS POSIX permissions [krajguru@hostname ~]$ hdfs dfs -ls /tmp/test-db/t1 ls: org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException: Permission denied: user=kunal, access=READ_EXECUTE, inode="/tmp/test-db/t1" -- This message was sent by Atlassian Jira (v8.20.10#820010)