Wondering why apache ranger has both allow/exclude and deny/exclude conditions when setting policies. Eg. tried setting an HDFS access policy such that only user user1 had access. However, when testing, found that it basically had no effect and others could access the HDFS location as well. Only worked as intended after setting a public group deny condition on the policy. [image: hdp] <https://i.stack.imgur.com/GQl84.png>
Given this, when would ranger ever use the allow conditions and not just do something like "deny public, but exclude from this user1." It seems redundant as it is now, so I'm wondering if I am misunderstanding how it is intended to be used or not seeing a potential use case where this would come into play. Could anyone clarify this for me? -- This electronic message is intended only for the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you.
