[
https://issues.apache.org/jira/browse/RANGER-693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14956223#comment-14956223
]
Don Bosco Durai commented on RANGER-693:
----------------------------------------
[~madhan.neethiraj], I am not sure this work around will solve the problem. The
challenge will be the granularity and complexity.
E.g. In your case, we will have to setup all the "Deny"/"Allow"/"Exception" in
one policy itself for the entire tree. If there are 20 DB users, then you will
deny "public", excluding "20 users". But for these 20 users you are back to the
same problem. Some might permissions via HDFS ACL and some from Ranger. You can
start creating more policies for sub folders, but then you get into the
complexity challenge.
My suggestion is a simple list of folders which can be marked exclusively to be
managed by Ranger. Or it could be the other way, the list of folders which
could use HDFS ACLs also, e.g. /tmp folders.
> HDFS folder permission exclusively managed my Ranger
> ----------------------------------------------------
>
> Key: RANGER-693
> URL: https://issues.apache.org/jira/browse/RANGER-693
> Project: Ranger
> Issue Type: Improvement
> Affects Versions: 0.5.1
> Reporter: Don Bosco Durai
> Fix For: 0.6.0
>
>
> In HDFS plugin, if there are no policies for the file/folder, then Ranger
> falls backs to HDFS file/folder permission.
> While this is very convenient, but in some cases it is desirable that only
> Ranger manages the policies. Good examples are folders like
> /apps/hive/warehouse or some user folders where it is better that Ranger
> manages the entire permission.
> One suggestion is to mark folders which will be managed by Ranger. For these
> folders, ignore all permissions and ownership set at the HDFS file/folder
> level.
> This will be a very useful feature for Ranger.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
