https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165875#M128233 <P>I download the HDP2.5 TP Sandbox in early July. Not sure if there is newer version out after that.</P> Mon, 08 Aug 2016 09:21:02 GMT qiwang 2016-08-08T09:21:02Z https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165871#M128229 <P>I tried to follow the <A href="https://github.com/hortonworks/tutorials/blob/hdp-2.5/tutorials/hortonworks/tag-based-policies-atlas-ranger/tutorial.md" rel="nofollow noopener noreferrer" target="_blank">tutorial</A> on the tag based policy in Atlas, but can't seem to make it work. Actually the tutorial itself seems to be misleading with the tag based policy.</P><P>In <A href="https://github.com/hortonworks/tutorials/blob/hdp-2.5/tutorials/hortonworks/tag-based-policies-atlas-ranger/tutorial.md#4-create-tag-and-tag-based-policy-" rel="nofollow noopener noreferrer" target="_blank">part 4</A>, although it looks like the access is granted through the tag based policy by excluding admin user in deny access, it is not. Even I disable that tag based policy in Ranger, the access for admin user is still there. It is because the original 2 resource based policies are enabled which grant admin user all access. So with or without the tag based policy, the admin use always has access to the hive table.</P><P>I also tried is to modify the tag based policy in the tutorial so it blocks access for admin user by put the following in the deny conditions. And admin use still has access</P><PRE>Select Group – none Select User – admin Component Permission – Hive – Select You can select the component permission through this popup:</PRE><P>All resourced based policy worked as expected and the problem only exist with tag related policy.</P><P>After some digging in Ranger audit, it seems that when tag related policy is created/changed, they were not synced to plug in, not sure if that is the reason behind the failure</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="6379-policy-change.png" style="width: 2451px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/20357iA2A97D8B61BCB78D/image-size/medium?v=v2&amp;px=400" role="button" title="6379-policy-change.png" alt="6379-policy-change.png" /></span></P><P>You can see the sync only happened with resource based policies</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="6380-plugin-sync.png" style="width: 2452px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/20358i6F9D4E12707E12A3/image-size/medium?v=v2&amp;px=400" role="button" title="6380-plugin-sync.png" alt="6380-plugin-sync.png" /></span></P> Sun, 18 Aug 2019 11:16:04 GMT https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165871#M128229 qiwang 2019-08-18T11:16:04Z https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165872#M128230 <P>Please provide a screenshot of the Audit panel -&gt; Access tab. You can check which policy is firing and allowing access for admin from the Audit screen in the Access tab. FYI, there is no separate plugin sync for tag based and resource based policies - if you have an entry for the hiveServer2 under plugin id column after you updated the policy that means <STRONG>all</STRONG> policies are synced. </P> Fri, 05 Aug 2016 11:09:01 GMT https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165872#M128230 svenkat 2016-08-05T11:09:01Z https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165873#M128231 <P>I always got "Unable to connect to Audit store !!" error in Audit=&gt;Access tab. Nothing in that tab</P> Sat, 06 Aug 2016 01:33:38 GMT https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165873#M128231 qiwang 2016-08-06T01:33:38Z https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165874#M128232 <P><A rel="user" href="https://community.cloudera.com/users/3090/qiwang.html" nodeid="3090">@Qi Wang</A>, let me check from my end, will keep u posted as early as possible</P> Sat, 06 Aug 2016 06:06:50 GMT https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165874#M128232 mrizvi 2016-08-06T06:06:50Z https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165875#M128233 <P>I download the HDP2.5 TP Sandbox in early July. Not sure if there is newer version out after that.</P> Mon, 08 Aug 2016 09:21:02 GMT https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165875#M128233 qiwang 2016-08-08T09:21:02Z https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165876#M128234 <P>this is addressed in the latest sandbox, no an issue any more</P> Wed, 02 Nov 2016 21:36:48 GMT https://community.cloudera.com/t5/Support-Questions/Atlas-tag-based-policy-not-working-on-Sandbox-2-5-TP/m-p/165876#M128234 qiwang 2016-11-02T21:36:48Z