Policy definition and auditing for HDFS

For every service in Ranger, we can associate different policies to the resources in the service. In case of HDFS, the resources will be the file/directory paths.

In this section, we will define a new policy for an HDFS path called projects for three users: hdfs-alice, hdfs-bob, and hdfs-tom. Where only hdfs-alice is allowed all permissions and rest of the users have only read access.

We will see how Ranger enforces access restrictions once the policy is in place.

Let's see the screen for the policy creation:

Once we hit the Add button, this policy is registered and added under the current service.

Now, let's get back to the Unix terminal and see how Ranger enforces the policies.

This screen shows how hdfs and hdfs-alice users are allowed to create directories /projects and /projects/1, but how this is denied for hdfs-tom:

Apache Ranger also has an audit section in the web interface, where we can see these access patterns.

This screen shows that hdfs-tom is denied and hdfs-alice is granted access by the policy:

Like this, we can define our own policies and customize how hdfs should allow/deny access to several resources.

The power and flexibility of Ranger comes from the its configurability. There is no need for any configuration files and restarts of applications for the access control to play a significant role.