HDFS Policy Creation
Through configuration, Apache Ranger enables both Ranger policies and HDFS permissions to be checked for a user request. When the NameNode receives a user request, the Ranger plugin checks for policies set through the Ranger Policy Manager. If there are no policies, the Ranger plugin checks for permissions set in HDFS.
We recommend that permissions be created at the Ranger Policy Manager, and to have restrictive permissions at the HDFS level.
To add a policy to an HDFS repository,use the HDFS Add Policy form.
HDFS Policy Creation Console
HDFS Add Policy Form
Complete the HDFS Add Policy Form as follows:
Table 5.1. HDFS Add Policy Fields
| Field | Description |
|---|---|
| Enter Policy Name | Enter a unique name for this policy. The name cannot be duplicated anywhere in the system. |
| Resource Path | Define the resource path for the policy folder/file. To avoid the need to supply the full path OR to enable the policy for al subfolders or files, you can either complete this path using wildcards (for example, /home*) or specify that the policy should be recursive. (See below.) |
| Description | (Optional) Describe the purpose of the policy. |
| Recursive | Select if all files or subfolders within the existing folder will be included in this policy. (Use this option if you have specified a specific Resource Path to the top-level folder, but want all subfolders or files to be included). |
| Audit Logging | Specify whether this policy is audited. (De-select to disable auditing). |
| Group Permissions | Use the pick list to assign group permissions appropriate to this policy. If desired, assign the group Administration privileges for the chosen resource. To add users or groups to the list, click the + button. (For further information, see Users). |
| User Permissions | Use the pick list to assign group permissions appropriate to this policy. If desired, designate one or more users as Administrators for the chosen resource. |
| Enable/Disable | Policies are enabled by default. To restrict user/group access for a policy, disable the policy. |