Check hdfs dfs -ls $folderName. In the case of HDFS, if Ranger doesn¹t find any permission in it¹s policy database, then it falls back to HDFS permission check. So make sure in the HDFS level, you have 700 or even 000 for the given folder and manage all the permissions via Ranger. We recommend pick all relevant folders (e.g Hive data warehouse folder) and do hdfs dfs -chown -R hdfs:hdfs $folderName and hdfs dfs chmod 000 R $folderName.
Please note, falling back to native permission is only available in HDFS. There is a switch to turn it off, but you have to be cautious when using it. Thanks Bosco From: Chanel Loïc <loic.cha...@worldline.com> Reply-To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Date: Wednesday, April 29, 2015 at 5:24 AM To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Subject: Troubles with HDFS policies > Hi All, > > As I am trying to set a Hadoop secured cluster with Ranger, I encountered some > troubles. > The principal one consists in the fact that even if I have no rights to read, > write or execute files in a directory, I still can execute a ls command (hdfs > dfs ls /testdir) showing me the files that I should not be able to read, or > even see. I can even see the file contents by making a cat on these files > (hdfs dfs cat /testdir/testfile) that I should not be able to read, which is > even more problematic to me. > In parallel, I am not able to put any files in the directory (Permission > denied for hdfs dfs put myotherfile /testdir/myotherfile), which makes me > think the policies are correctly set. > > Does that sound quite normal to you ? Do you see a solution to make sure my > user toto cannot see what is in the repository of my user tata ? > Thanks for your help, > > > Loïc Chanel > > > > Ce message et les pièces jointes sont confidentiels et réservés à l'usage > exclusif de ses destinataires. Il peut également être protégé par le secret > professionnel. Si vous recevez ce message par erreur, merci d'en avertir > immédiatement l'expéditeur et de le détruire. L'intégrité du message ne > pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra > être recherchée quant au contenu de ce message. Bien que les meilleurs efforts > soient faits pour maintenir cette transmission exempte de tout virus, > l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne > saurait être recherchée pour tout dommage résultant d'un virus transmis. > > This e-mail and the documents attached are confidential and intended solely > for the addressee; it may also be privileged. If you receive this e-mail in > error, please notify the sender immediately and destroy it. As its integrity > cannot be secured on the Internet, the Worldline liability cannot be triggered > for the message content. Although the sender endeavours to maintain a computer > virus-free network, the sender does not warrant that this transmission is > virus-free and will not be liable for any damages resulting from any virus > transmitted.
