[
https://issues.apache.org/jira/browse/RANGER-693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14955316#comment-14955316
]
Alok Lal commented on RANGER-693:
---------------------------------
{quote}
fallback to native ACLs is done only when there are no Ranger policies to
determine the access.
{quote}
It is clear to me what you mean [~madhan.neethiraj], but please allow me to
build on that statement a little to avoid potential confusion.
{quote}
when there are no policies to determine access
{quote}
Literally means that! Specifically if a policy exist which matches the
resource being requested but if it neither allows access nor _explicitly_
denies access then the fallback to HDFS' native ACL would happen. This use
cases (and Yarn plugin) helps to highlight and explain the difference between
undetermined-access v/s denied-access that have become crucial to understand
now that we have deny policies.
> HDFS folder permission exclusively managed my Ranger
> ----------------------------------------------------
>
> Key: RANGER-693
> URL: https://issues.apache.org/jira/browse/RANGER-693
> Project: Ranger
> Issue Type: Improvement
> Affects Versions: 0.5.1
> Reporter: Don Bosco Durai
> Fix For: 0.6.0
>
>
> In HDFS plugin, if there are no policies for the file/folder, then Ranger
> falls backs to HDFS file/folder permission.
> While this is very convenient, but in some cases it is desirable that only
> Ranger manages the policies. Good examples are folders like
> /apps/hive/warehouse or some user folders where it is better that Ranger
> manages the entire permission.
> One suggestion is to mark folders which will be managed by Ranger. For these
> folders, ignore all permissions and ownership set at the HDFS file/folder
> level.
> This will be a very useful feature for Ranger.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
