[ https://issues.apache.org/jira/browse/RANGER-693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14955316#comment-14955316
]
Alok Lal commented on RANGER-693:
---------------------------------
{quote}
fallback to native ACLs is done only when there are no Ranger policies to determine the access.
{quote}
It is clear to me what you mean [~madhan.neethiraj], but please allow me to build on that
statement a little to avoid potential confusion.
{quote}
when there are no policies to determine access
{quote}
Literally means that! Specifically if a policy exist which matches the resource being requested
but if it neither allows access nor _explicitly_ denies access then the fallback to HDFS'
native ACL would happen. This use cases (and Yarn plugin) helps to highlight and explain
the difference between undetermined-access v/s denied-access that have become crucial to understand
now that we have deny policies.
> HDFS folder permission exclusively managed my Ranger
> ----------------------------------------------------
>
> Key: RANGER-693
> URL: https://issues.apache.org/jira/browse/RANGER-693
> Project: Ranger
> Issue Type: Improvement
> Affects Versions: 0.5.1
> Reporter: Don Bosco Durai
> Fix For: 0.6.0
>
>
> In HDFS plugin, if there are no policies for the file/folder, then Ranger falls backs
to HDFS file/folder permission.
> While this is very convenient, but in some cases it is desirable that only Ranger manages
the policies. Good examples are folders like /apps/hive/warehouse or some user folders where
it is better that Ranger manages the entire permission.
> One suggestion is to mark folders which will be managed by Ranger. For these folders,
ignore all permissions and ownership set at the HDFS file/folder level.
> This will be a very useful feature for Ranger.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
|