Why it matters
Enterprise clusters have hundreds or thousands of users organized into overlapping groups. A finance analyst might belong to finance, all-analysts, and audit-readers simultaneously, and a file might need to grant slightly different permissions to each. The POSIX model with only three roles cannot express this; extended ACLs and Ranger together can.
Regulatory compliance drives many of these requirements. Data classification schemes, GDPR requirements, HIPAA controls, and PCI-DSS all mandate specific access control patterns that need to be provably enforced. A well-configured Ranger deployment produces the audit trail that regulators expect.
The architecture
Every HDFS inode has three fields for permission control: owner (a username), group (a group name), and a nine-bit mode string like rwxr-x--- controlling how the owner, group members, and others can interact with the file. This is straight POSIX semantics and works exactly like a Unix filesystem for reads, writes, execute, and directory traversal.
Extended ACLs augment this with a variable-length list of additional access control entries. Each entry names either a specific user or a specific group and specifies the permission bits granted to that identity. When a client tries to access a file, the NameNode checks the owner match first, then the group match, then walks the extended ACL, and finally falls back to the other bits.
How it works end to end
Ranger sits above HDFS at the plugin layer. A Ranger plugin installed on the NameNode intercepts every filesystem operation and consults the Ranger policy engine before returning success or failure. Policies are defined centrally in the Ranger admin UI and pushed to the NameNode plugin on a periodic sync.
The evaluation order matters. HDFS first evaluates its own permission checks (POSIX plus ACLs). If those pass, control moves to the Ranger plugin, which evaluates its policies against the same path. Both must pass for the operation to succeed. This layered approach means that misconfigured Ranger policies never accidentally grant access beyond what HDFS itself allows, but they can still deny access that HDFS would have permitted.
Ranger policies are far more expressive than POSIX or ACLs. They can grant access by resource path, by user or group, by time of day, by allowed operations, and can include tag-based rules driven by Apache Atlas metadata classifications. This is how enterprises implement data classification workflows where PII-tagged data automatically restricts access without individual policy updates.