I am not sure I understand fully the concern here. Business users usually do not go into Ranger UI and manage their permissions, the permissions are typically manages by a security or a Hadoop administrator. Business users usually request what permission they need and the administrators set it up. After that, it is transparent to them on how the policies are setup in Ranger.
You can express HDFS policy using wildcards or include multiple directories or files in the same policy. That is the benefit of using Ranger vs HDFS ACL where you would need to manage permissions at directory or file level. Admins can pre-create policies in Ranger and then create directories or files in HDFS. On Thu, Jul 2, 2015 at 2:52 AM, Tanping Wang <[email protected]> wrote: > Hi, Boston, > Thanks for the reply! > > The purpose of Ranger is to manage security policy in one place. I would > agree with you that I want to mange the entire HDFS ACL at one place, for > example. If this is the case, I would restrict any file permission to a > user, John on HDFS, and grant any permission is needed for John on Ranger > only. But this brings at least two problems: > > In case of creating new directories, admin has to go to HDFS to create any > new directory and revoke any permission to any user. Secondly admin would > need to go to Ranger to open up file/directory permissions one by one. > HDFS also has its own ACL, this feels very confusing to some one who is > used to manage HDFS ACL, doesn't it? > > Also users will have to go to Ranger UI in order to view what permission > that s/he has. In the mean while, the user will be able to see any other > permissions granted to any other users? (I believe Ranger UI does not > have a way to restrict a person to view his own permission only at this > moment?) This introduces a privacy/security concern. > > Is this any good explanation or recommendation to address these? > > Regards, > Tanping > > On Wed, Jul 1, 2015 at 6:17 AM, Don Bosco Durai <[email protected]> wrote: > > > Tanping > > > > Current Ranger permission model is permissive, which means by default > > there are no permissions. However, if you give one, then you can¹t take > > back. > > > > This model simplifies the management of the policies. However, if you > want > > to revoke permissions for certain user, then it becomes difficult. > > > > In your use case, we recommend that you manage HDFS permissions only from > > Ranger. You should do ³hdfs dfs -chmod -R 0000 /usr/hive² and then give > > explicit permissions to users from Ranger. > > > > If you are using HiveServer2, then we recommend to configure HS2 with > > ³doAs=false². In this case, you just need to give permission to user > > ³hive² in the HDFS level and manage all the table/column permissions at > > the Hive level using Ranger. In this case, you can also give more > granular > > permissions up to column level. > > > > If you feel revoke will be useful for you, then can you create a JIRA. In > > the next release we can come up with a simplified version of revoke. > > > > Thanks > > > > Bosco > > > > > > On 7/1/15, 12:57 PM, "Tanping Wang" <[email protected]> wrote: > > > > >Hi, all, > > >My understanding of Ranger is that Ranger would open up/relax the file > > >permission inherited from Unix. Can Ranger restrict/remove the > > >permissions > > >for a user? For example, if a user, John does have permission to > > >/usr/hive. Can Ranger revoke the permission? > > >Regards, > > >tanping > > > > > > >
