Reporting on Ranger admin primarily. Not everyone uses HDFS ACLs, we need to think about POSIX permissions as well. We need a way to query HDFS and get all permissions available for a particular file or directory and merge them with Ranger policies to give an accurate picture of actuals permission end user would get. This is for administrators to get a view of the any HDFS folder/file and existing permissions.
On Wed, Oct 14, 2015 at 11:18 AM, Don Bosco Durai <[email protected]> wrote: > Agree we need a separate JIRA to track this. > > There are 2 use cases: > 1. Reporting on Ranger Admin: We have to make calls to HDFS to get the > HDFS ACLs and merge with ours. > 2. Support -getfacl: When -getfacl API is called, within the HDFS process, > Ranger plugin can merge both the permission set and respond. > > Both have different perspective. What were you thinking of? > > Bosco > > > > On 10/13/15, 8:49 AM, "Balaji Ganesan" <[email protected]> wrote: > > >Good suggestion. HDFS fallback permission does create confusion for users, > >it is better to restrict it to certain folders > > > >There is a still an issue of figuring our existing permissions for a given > >folder/file. We should include a separate JIRA to modify our reporting > tool > >to give accurate picture on existing permissions for HDFS files/folders. > In > >this case, Ranger should interpret both HDFS and Ranger permissions for > >folder where fallback is allowed. > > > >On Mon, Oct 12, 2015 at 3:14 PM, Don Bosco Durai (JIRA) <[email protected]> > >wrote: > > > >> Don Bosco Durai created RANGER-693: > >> -------------------------------------- > >> > >> Summary: HDFS folder permission exclusively managed my > Ranger > >> Key: RANGER-693 > >> URL: https://issues.apache.org/jira/browse/RANGER-693 > >> Project: Ranger > >> Issue Type: Improvement > >> Affects Versions: 0.5.1 > >> Reporter: Don Bosco Durai > >> Fix For: 0.6.0 > >> > >> > >> In HDFS plugin, if there are no policies for the file/folder, then > Ranger > >> falls backs to HDFS file/folder permission. > >> > >> While this is very convenient, but in some cases it is desirable that > only > >> Ranger manages the policies. Good examples are folders like > >> /apps/hive/warehouse or some user folders where it is better that Ranger > >> manages the entire permission. > >> > >> One suggestion is to mark folders which will be managed by Ranger. For > >> these folders, ignore all permissions and ownership set at the HDFS > >> file/folder level. > >> > >> This will be a very useful feature for Ranger. > >> > >> > >> > >> > >> -- > >> This message was sent by Atlassian JIRA > >> (v6.3.4#6332) > >> > >
