Hadoop Security Guide
Also available as:
loading table of contents...

Create an HDFS Policy

Through configuration, Apache Ranger enables both Ranger policies and HDFS permissions to be checked for a user request. When the NameNode receives a user request, the Ranger plugin checks for policies set through the Ranger Service Manager. If there are no policies, the Ranger plugin checks for permissions set in HDFS.

We recommend that permissions be created at the Ranger Service Manager, and to have restrictive permissions at the HDFS level.

To add a new policy to an existing HDFS service:

  1. On the Service Manager page, select an existing service under HDFS.


    The List of Policies page appears.

    List of Policies page
  2. Click Add New Policy.

    Add New Policy button

    The Create Policy page appears.

    HDFS Policy Creation Console
  3. Complete the Create Policy page as follows:

    Table 3.39. Policy Details

    Policy NameEnter a unique name for this policy. The name cannot be duplicated anywhere in the system.
    Resource PathDefine the resource path for the policy folder/file. To avoid the need to supply the full path OR to enable the policy for al subfolders or files, you can either complete this path using wildcards (for example, /home*) or specify that the policy should be recursive. (See below.)
    Description(Optional) Describe the purpose of the policy.
    Audit LoggingSpecify whether this policy is audited. (De-select to disable auditing).

    Table 3.40. User and Group Permissions



    Select Group Specify the group to which this policy applies. To designate the group as an Administrator for the chosen resource, specify Admin permissions. (Administrators can create child policies based on existing policies).
    Select UserSpecify a particular user to which this policy applies (outside of an already-specified group) OR designate a particular user as Admin for this policy. (Administrators can create child policies based on existing policies).
    PermissionsAdd or edit permissions: Read, Write, Create, Admin, Select/Deselect All.
    Delegate AdminWhen a policy is assigned to a user or a group of users those users become the delegated admin. The delegated admin can update, delete the policies. It can also create child policies based on the original policy (base policy).

    Wild cards can be included in the resource path, in the database name, the table name, or column name:

    • * indicates zero or more occurrences of characters

    • ? indicates a single character

  4. Click Add.

    the green Add button