Currently, CDAP does not support the pushing of authorization policy grants and revokes to storage providers. As a result, when a user is granted READ or WRITE access on existing datasets or streams, permissions are not updated in the storage providers. The same applies when authorization policies are revoked.
A newly-applied authorization policy will be enforced when the dataset or stream is accessed from CDAP, but not when it is accessed directly in the storage provider. If the pushdown of permissions to storage providers is desired, it needs to be done manually. This will be done automatically in a future release of CDAP.
This limitation has a larger implication when cross-namespace dataset access is used. When accessing a dataset from a different namespace, CDAP currently presumes that the user accessing the dataset has been granted permissions on the dataset in the storage provider prior to accessing the dataset from CDAP.
...