Hi, I'm wondering what the best practices for policies in Ranger are? With Deny policies I'm not sure anymore.
The way I understand it I now need to * add a ALLOW <group> policy * add a DENY public group * add a DENY EXCLUDE <group> policy so that I can allow access for people from the <group>. Those would be three rules for one ALLOW. We can disable the HDFS fallback but it's global. What I had assumed so far (wrongly) is that as soon as there is a policy that matches a resource it is authoritative i.e. if this policy doesn't allow access it'll not fall through and deny. Is there anything I misunderstood and/or what are the best practices for policies in Ranger these days? I know this Wiki page (< https://cwiki.apache.org/confluence/display/RANGER/How+Deny+Policies+Work+in+Apache+Ranger>) but that misses just those corner cases. I assume (from my experience with customers) that quite a few people are actually using Ranger wrong if my understanding is correct. Thanks for your help! Cheers, Lars
