Tanping, Ranger is based on a permissive model. When Ranger is doing a policy evaluation, and if there are multiple policies for the user, then Ranger will provide access based on the first policy that permits the access. In Ranger 0.5, the audit log contains the policy id which granted the access, users can find out which policy provided the access to the user.
On Thu, Jul 2, 2015 at 2:08 AM, Tanping Wang <[email protected]> wrote: > Hi, All, > I hope I made myself clear in my question. If not, please let me know. > Basically I am asking: > > If I have multiple security policies set up for one component, HDFS, for > example, speaking of the end result of the permission, is it a UNION of > the multiple security policies or is it a intersection or is it one > security policy takes the precedence? How does Ranger decide? > > Regards, > Tanping > > On Wed, Jul 1, 2015 at 2:54 AM, Tanping Wang <[email protected]> wrote: > > > Hi, > > I would like to understand the precedence of multiple security policies > in > > Ranger. For example, > > I have a global security policy for HDFS which have all the permissions > > open to a user, John > > I have a second security policy for HDFS which have /user/hive open to > the > > user, John. > > > > If I have both of them on, my understanding is John would have all > > permissions inherited from HDFS base Unix. > > > > How does the precedence get calculated? > > > > Regards, > > Tanping > > >
