ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alok Lal (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-693) HDFS folder permission exclusively managed my Ranger
Date Tue, 13 Oct 2015 17:31:05 GMT

    [ https://issues.apache.org/jira/browse/RANGER-693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14955316#comment-14955316
] 

Alok Lal commented on RANGER-693:
---------------------------------

{quote}
fallback to native ACLs is done only when there are no Ranger policies to determine the access.

{quote}
It is clear to me what you mean [~madhan.neethiraj], but please allow me to build on that
statement a little to avoid potential confusion.
{quote}
when there are no policies to determine access 
{quote}
Literally means that!  Specifically if a policy exist which matches the resource being requested
but if it neither allows access nor _explicitly_ denies access then the fallback to HDFS'
native ACL would happen.  This use cases (and Yarn plugin) helps to highlight and explain
the difference between undetermined-access v/s denied-access that have become crucial to understand
now that we have deny policies.

> HDFS folder permission exclusively managed my Ranger
> ----------------------------------------------------
>
>                 Key: RANGER-693
>                 URL: https://issues.apache.org/jira/browse/RANGER-693
>             Project: Ranger
>          Issue Type: Improvement
>    Affects Versions: 0.5.1
>            Reporter: Don Bosco Durai
>             Fix For: 0.6.0
>
>
> In HDFS plugin, if there are no policies for the file/folder, then Ranger falls backs
to HDFS file/folder permission.
> While this is very convenient, but in some cases it is desirable that only Ranger manages
the policies. Good examples are folders like /apps/hive/warehouse or some user folders where
it is better that Ranger manages the entire permission.
> One suggestion is to mark folders which will be managed by Ranger. For these folders,
ignore all permissions and ownership set at the HDFS file/folder level.
> This will be a very useful feature for Ranger.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message