https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135745#M43786 <P>For the moment I will not use this <STRONG><EM>exclude</EM></STRONG> switch because it behaves not as I (and my client) would expect. I will go for the Deny Conditions extension for the Hive service.</P><P>The exclude switch is confusing in that it seems to swap an allow into a deny, but it doesn't. It only excludes the resources from the policy</P> Tue, 18 Oct 2016 17:37:05 GMT jknulst 2016-10-18T17:37:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135739#M43780 <P>Hi,</P><P>I have read the <A href="https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+excludes+in+Ranger+policies" rel="nofollow noopener noreferrer" target="_blank">manual</A> but I don't understand the behaviour of 2 policies I have regarding the same Hive table.</P><P>Policy 15 is a global allow policy on all Hive tables, all columns:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="8639-screen-shot-2016-10-18-at-82358-am.png" style="width: 2512px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/22049i3596CEFC9FCB1AF9/image-size/medium?v=v2&amp;px=400" role="button" title="8639-screen-shot-2016-10-18-at-82358-am.png" alt="8639-screen-shot-2016-10-18-at-82358-am.png" /></span></P><P>then I have policy 31 like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="8634-screen-shot-2016-10-18-at-121942-am.png" style="width: 2504px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/22050i98943E9B8E10E0B4/image-size/medium?v=v2&amp;px=400" role="button" title="8634-screen-shot-2016-10-18-at-121942-am.png" alt="8634-screen-shot-2016-10-18-at-121942-am.png" /></span></P><P>But whatever I try, user raj_ops still can run 'select * from employee' and get results. </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="8635-screen-shot-2016-10-18-at-122631-am.png" style="width: 2758px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/22051i83AE90A0975B4244/image-size/medium?v=v2&amp;px=400" role="button" title="8635-screen-shot-2016-10-18-at-122631-am.png" alt="8635-screen-shot-2016-10-18-at-122631-am.png" /></span></P><P>Policy 31 is not evaluated as a 'deny' on the resource. I know you can add explicit Deny Conditons to the hive service, and I will try that. But the question is what the EXCLUDE switch (after the Hive column* box ) is good for when it is not picked up. </P> Mon, 19 Aug 2019 08:54:06 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135739#M43780 jknulst 2019-08-19T08:54:06Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135740#M43781 <P>you mentioned there is a global allow policy , can you please attach screenshot of that too</P> Tue, 18 Oct 2016 12:56:41 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135740#M43781 dsharma 2016-10-18T12:56:41Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135741#M43782 <P><A href="https://community.hortonworks.com/questions/62016/edit.html#">@Deepak Sharma</A> added in main question</P> Tue, 18 Oct 2016 13:28:14 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135741#M43782 jknulst 2016-10-18T13:28:14Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135742#M43783 <P><A rel="user" href="https://community.cloudera.com/users/12513/jknulst.html" nodeid="12513">@Jasper</A> in policy 15 i can see you have added * resources for all and raj_ops is part of the user , so he is able to access all </P> Tue, 18 Oct 2016 13:48:43 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135742#M43783 dsharma 2016-10-18T13:48:43Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135743#M43784 <P><A rel="user" href="https://community.cloudera.com/users/505/dsharma.html" nodeid="505">@Deepak Sharma</A> Yes, but I would expect that if 1 policy (15) says 'yes' and the other (31) says 'no', then it should be 'no' . As is stated in the schema in the <A href="https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+excludes+in+Ranger+policies">manual</A></P> Tue, 18 Oct 2016 13:57:26 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135743#M43784 jknulst 2016-10-18T13:57:26Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135744#M43785 <P>No <A rel="user" href="https://community.cloudera.com/users/12513/jknulst.html" nodeid="12513">@Jasper</A> this will be the case when there is deny condition for raj_ops , then raj_ops will be denied from performing operation, but in current scenario you can see both are allow condition , in such case if any of the condtion match then it will be allowed , and even manual also says same !</P> Tue, 18 Oct 2016 15:11:42 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135744#M43785 dsharma 2016-10-18T15:11:42Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135745#M43786 <P>For the moment I will not use this <STRONG><EM>exclude</EM></STRONG> switch because it behaves not as I (and my client) would expect. I will go for the Deny Conditions extension for the Hive service.</P><P>The exclude switch is confusing in that it seems to swap an allow into a deny, but it doesn't. It only excludes the resources from the policy</P> Tue, 18 Oct 2016 17:37:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135745#M43786 jknulst 2016-10-18T17:37:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135746#M43787 <P>For the moment I will not use this <STRONG><EM>exclude</EM></STRONG> switch because it behaves not as I (and my client) would expect. I will go for the Deny Conditions extension for the Hive service.</P><P>The exclude switch is confusing in that it seems to swap an allow into a deny, but it doesn't. It only excludes the resources from the policy</P> Tue, 18 Oct 2016 17:37:08 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-stacked-policy-evaluation-with-EXCLUDE-switch/m-p/135746#M43787 jknulst 2016-10-18T17:37:08Z