Tanping Current Ranger permission model is permissive, which means by default there are no permissions. However, if you give one, then you can¹t take back.
This model simplifies the management of the policies. However, if you want to revoke permissions for certain user, then it becomes difficult. In your use case, we recommend that you manage HDFS permissions only from Ranger. You should do ³hdfs dfs -chmod -R 0000 /usr/hive² and then give explicit permissions to users from Ranger. If you are using HiveServer2, then we recommend to configure HS2 with ³doAs=false². In this case, you just need to give permission to user ³hive² in the HDFS level and manage all the table/column permissions at the Hive level using Ranger. In this case, you can also give more granular permissions up to column level. If you feel revoke will be useful for you, then can you create a JIRA. In the next release we can come up with a simplified version of revoke. Thanks Bosco On 7/1/15, 12:57 PM, "Tanping Wang" <[email protected]> wrote: >Hi, all, >My understanding of Ranger is that Ranger would open up/relax the file >permission inherited from Unix. Can Ranger restrict/remove the >permissions >for a user? For example, if a user, John does have permission to >/usr/hive. Can Ranger revoke the permission? >Regards, >tanping
