Agree we need a separate JIRA to track this. There are 2 use cases: 1. Reporting on Ranger Admin: We have to make calls to HDFS to get the HDFS ACLs and merge with ours. 2. Support -getfacl: When -getfacl API is called, within the HDFS process, Ranger plugin can merge both the permission set and respond.
Both have different perspective. What were you thinking of? Bosco On 10/13/15, 8:49 AM, "Balaji Ganesan" <[email protected]> wrote: >Good suggestion. HDFS fallback permission does create confusion for users, >it is better to restrict it to certain folders > >There is a still an issue of figuring our existing permissions for a given >folder/file. We should include a separate JIRA to modify our reporting tool >to give accurate picture on existing permissions for HDFS files/folders. In >this case, Ranger should interpret both HDFS and Ranger permissions for >folder where fallback is allowed. > >On Mon, Oct 12, 2015 at 3:14 PM, Don Bosco Durai (JIRA) <[email protected]> >wrote: > >> Don Bosco Durai created RANGER-693: >> -------------------------------------- >> >> Summary: HDFS folder permission exclusively managed my Ranger >> Key: RANGER-693 >> URL: https://issues.apache.org/jira/browse/RANGER-693 >> Project: Ranger >> Issue Type: Improvement >> Affects Versions: 0.5.1 >> Reporter: Don Bosco Durai >> Fix For: 0.6.0 >> >> >> In HDFS plugin, if there are no policies for the file/folder, then Ranger >> falls backs to HDFS file/folder permission. >> >> While this is very convenient, but in some cases it is desirable that only >> Ranger manages the policies. Good examples are folders like >> /apps/hive/warehouse or some user folders where it is better that Ranger >> manages the entire permission. >> >> One suggestion is to mark folders which will be managed by Ranger. For >> these folders, ignore all permissions and ownership set at the HDFS >> file/folder level. >> >> This will be a very useful feature for Ranger. >> >> >> >> >> -- >> This message was sent by Atlassian JIRA >> (v6.3.4#6332) >>
