[
https://issues.apache.org/jira/browse/RANGER-693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14955265#comment-14955265
]
Madhan Neethiraj commented on RANGER-693:
-----------------------------------------
Ranger policy model update to support 'Deny Conditions' (RANGER-606) can be
leveraged to implement this usecase, with the following steps:
- create a Ranger policy for the folder - for example /apps/hive/warehouse
- add a 'Deny condition' to deny access to everyone (group=public)
- to allow access to specific users/groups, add them to 'Deny Exceptions' and
'Allow Conditions'
With such a policy in place, Ranger will actively deny access by any user who
is not explicitly allowed by this policy - and there will not be fallback to
native ACLs. Please note that fallback to native ACLs is done only when there
are no Ranger policies to determine the access. In this case, since a Ranger
policy actively denied the access, native ACLs will not have a say.
> HDFS folder permission exclusively managed my Ranger
> ----------------------------------------------------
>
> Key: RANGER-693
> URL: https://issues.apache.org/jira/browse/RANGER-693
> Project: Ranger
> Issue Type: Improvement
> Affects Versions: 0.5.1
> Reporter: Don Bosco Durai
> Fix For: 0.6.0
>
>
> In HDFS plugin, if there are no policies for the file/folder, then Ranger
> falls backs to HDFS file/folder permission.
> While this is very convenient, but in some cases it is desirable that only
> Ranger manages the policies. Good examples are folders like
> /apps/hive/warehouse or some user folders where it is better that Ranger
> manages the entire permission.
> One suggestion is to mark folders which will be managed by Ranger. For these
> folders, ignore all permissions and ownership set at the HDFS file/folder
> level.
> This will be a very useful feature for Ranger.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
