ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Don Bosco Durai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-693) HDFS folder permission exclusively managed my Ranger
Date Wed, 14 Oct 2015 04:18:06 GMT

    [ https://issues.apache.org/jira/browse/RANGER-693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14956223#comment-14956223
] 

Don Bosco Durai commented on RANGER-693:
----------------------------------------

[~madhan.neethiraj], I am not sure this work around will solve the problem. The challenge
will be the granularity and complexity.

E.g. In your case, we will have to setup all the "Deny"/"Allow"/"Exception" in one policy
itself for the entire tree. If there are 20 DB users, then you will deny "public", excluding
"20 users". But for these 20 users you are back to the same problem. Some might permissions
via HDFS ACL and some from Ranger. You can start creating more policies for sub folders, but
then you get into the complexity challenge.

My suggestion is a simple list of folders which can be marked exclusively to be managed by
Ranger. Or it could be the other way, the list of folders which could use HDFS ACLs also,
e.g. /tmp folders.



> HDFS folder permission exclusively managed my Ranger
> ----------------------------------------------------
>
>                 Key: RANGER-693
>                 URL: https://issues.apache.org/jira/browse/RANGER-693
>             Project: Ranger
>          Issue Type: Improvement
>    Affects Versions: 0.5.1
>            Reporter: Don Bosco Durai
>             Fix For: 0.6.0
>
>
> In HDFS plugin, if there are no policies for the file/folder, then Ranger falls backs
to HDFS file/folder permission.
> While this is very convenient, but in some cases it is desirable that only Ranger manages
the policies. Good examples are folders like /apps/hive/warehouse or some user folders where
it is better that Ranger manages the entire permission.
> One suggestion is to mark folders which will be managed by Ranger. For these folders,
ignore all permissions and ownership set at the HDFS file/folder level.
> This will be a very useful feature for Ranger.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message