Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Atlas Tag on Hive Table using Ranger authorization

Atlas Tag on Hive Table using Ranger authorization

New Contributor

I am using Atlas on HDP 2.5 and I noticed something that I wanted to know if it was a bug or not. I created a tag and added the tag to a hive table. When I did this, the hive table was not accessible to a user who had permission for that tag (Using Ranger for authorization). I assume that this is beacuse the user did not have permission to use the database, even though there is a table in the database that matches the tag. To verify that this was the case, I gave the user the ability to run USE DATABASE;, but without the ability to select data. In this case the user was able to see all the tables in the database, but was only able to access the data of the table with the tag the user had permission for.

I would expect that if a table has a tag, the user who has permissions for that tag should be able to use the database the table is in and view the data in the table.

Any thoughts on this would be much appreciated. Thanks!

Raffi

3 REPLIES 3

Re: Atlas Tag on Hive Table using Ranger authorization

@Raffi Abberbock

you need to associate the tag service with the hive service as follows:

for ex: my tagservice tag_service_1

screen-shot-2016-12-02-at-13027-pm.png

then associate the tag service with hive:

screen-shot-2016-12-02-at-13046-pm.png

Re: Atlas Tag on Hive Table using Ranger authorization

New Contributor

@Deepak Sharma I am able to associate the tag service with Hive. My specific questions was assigning tags to tables and how that works in practice.

Highlighted

Re: Atlas Tag on Hive Table using Ranger authorization

Contributor

Hi @Raffi Abberbock,

If you have the following set up correctly, then you should be able to access the tagged table without setting up an Access based policy for DB.

1. Tag actually associated to the table.

2. Tag based policy which grants your user Hive permissions on that tag.

3. No other tag based policy which denies the user access to that tag through a 'deny policy condition'.

4. Association between the tag service and Hive service as Deepak mentioned in the above comment.

5. No Access based policy which denies the user access to that DB or table through a 'deny policy condition'.

Also, can you pls let us know which version of Ranger were you using?

Also, the exact tag and access based policies that you created..

As for "My specific questions was assigning tags to tables and how that works in practice.", you can refer: https://cwiki.apache.org/confluence/display/RANGER/Tag+Based+Policies

CC: @akulkarni