Support Questions

Manus · ‎07-20-2016

Hi all,

I am using Atlas-Ranger sandbox machine and also tried example which is given on below link,it's working fine on sandbox.

Link:

http://hortonworks.com/hadoop-tutorial/tag-based-policies-atlas-ranger/

but I have created my own table patient_information under medical database which contains field called as person_name.I tagged that field in atlas UI with the tag name as Personal (please see in attached file).

now I want that this column must be available to only hr_admin(as the example given in above link).I created resource based and tag based policy with the same users too(hr_user and hr_admin) just my table name,column name and database are different.

After assigning tag based policy to hr_admin user,that user is not able to fetch the data for that patient_information table.

Please help me.

if you go through snapshots you will understand the whole scenario in very details.

One mistake I have done while attaching snapshots....actually,In attached ranger snapshot ,bymistake i have written tag name as demo instead of personal.

Thanks in advance.

svenkat · ‎07-21-2016

Looking at your policy #7 setup for patient_information table, you have excluded access to hr group only to patient_name column. If you look at the Audit screen under Access tab in Ranger, it will tell you which specific policy might have prevented access. If there is no explicit policy you will see something like "--" in the first policy id column of the table. You can check this behavior by doing a select on non-tagged columns in the table and it should succeed if you have no other rules explicitly denying access to other columns in the patient_information table. Please attach a screenshot of the Audit screen (access tab) so we can help you further, in case this does not solve the issue.

View solution in original post

svenkat · ‎07-21-2016

Looking at your policy #7 setup for patient_information table, you have excluded access to hr group only to patient_name column. If you look at the Audit screen under Access tab in Ranger, it will tell you which specific policy might have prevented access. If there is no explicit policy you will see something like "--" in the first policy id column of the table. You can check this behavior by doing a select on non-tagged columns in the table and it should succeed if you have no other rules explicitly denying access to other columns in the patient_information table. Please attach a screenshot of the Audit screen (access tab) so we can help you further, in case this does not solve the issue.

Manus · ‎07-21-2016

Thank you svenkat,

I have attached audit screen.

And as per your above response,you are saying to setup such policy which will provide access to all columns of patient_information table.but if we go according to link

http://hortonworks.com/hadoop-tutorial/tag-based-policies-atlas-ranger/

On their,they didn't specified such a policy.so my question is,then what is the use of Atlas-Ranger tag base policy?.

According to tag base policy it should allow access to all the columns which are excluded in some other resource base policy.This is the behaviour which I have observed on above link.

svenkat · ‎07-21-2016

With the sandbox, I was able to get your scenario to work correctly as you outlined in your post. A few more items to check for troubleshooting your environment:

Is tag sync service running w/o any errors/alerts?
Can you provide a screenshot of the Reports (under Access Manager menu) screen after performing a search filter only for hive and tag policies in the component selection box. Also please make sure you expand all the columns marked with + in the policy table when you take the screenshot so we can see what are the exact policies are that you have setup in your environment
Can you check if your policy changes got synced to hiveserver2 after all the policy editing was done. You can do this by looking at the Audit -> Plugins screen to compare the timestamp of last policy edit to the timestamp entry for the last Hive plugin policy sync. If not synced you can just reopen one of the policies make an edit to a description and save the policy to force a policy update to Hive.
If you disable the tag based policy, does the resource policy #7 from your screenshot work correctly (i.e.) fail for both hr_admin and hr_user when you do select * and succeed when you select all columns except person_name from patient_information table?

Manus · ‎07-21-2016

Thanks to see you again svekat,

1) On sandbox if i test Resource based policy,then it's working properly(i.e first part of demo of hortonworks website(ACCESS WITHOUT TAG BASED POLICIES)) but failing for CREATE TAG AND TAG BASED POLICY part.

please remember that,i am trying this whole procedure for my own tables,database etc.(i am not using employee table which is already present in sandbox).

2) I have attached audit_plugin screen please check it.I think,it looks like policy is been synchronized properly with hiveserver2.

audit-plugin-screen.png

tag-based-report.png

3) and answer to your last question is,if i disable tag based policy,resource policy #7 works fine for both the user(i.e. fail to select all column with * sign in query).

4)How to check whether tag sync service is running or not?

Manus · ‎07-21-2016

Thank you very much Svekat,

Issue has been resolved

Actually on sandbox machine,

ranger-tagsync service was disable.

so i started service by using command: service ranger-tagsync start.

Cloudera Community

Support Questions

Atlas-Ranger Tag based policy not working for my own example(On Atlas-Ranger Sandbox)?