I am using Atlas on HDP 2.5 and I noticed something that I wanted to know if it was a bug or not. I created a tag and added the tag to a hive table. When I did this, the hive table was not accessible to a user who had permission for that tag (Using Ranger for authorization). I assume that this is beacuse the user did not have permission to use the database, even though there is a table in the database that matches the tag. To verify that this was the case, I gave the user the ability to run USE DATABASE;, but without the ability to select data. In this case the user was able to see all the tables in the database, but was only able to access the data of the table with the tag the user had permission for.
I would expect that if a table has a tag, the user who has permissions for that tag should be able to use the database the table is in and view the data in the table.
Any thoughts on this would be much appreciated. Thanks!
Hi @Raffi Abberbock,
If you have the following set up correctly, then you should be able to access the tagged table without setting up an Access based policy for DB.
1. Tag actually associated to the table.
2. Tag based policy which grants your user Hive permissions on that tag.
3. No other tag based policy which denies the user access to that tag through a 'deny policy condition'.
4. Association between the tag service and Hive service as Deepak mentioned in the above comment.
5. No Access based policy which denies the user access to that DB or table through a 'deny policy condition'.
Also, can you pls let us know which version of Ranger were you using?
Also, the exact tag and access based policies that you created..
As for "My specific questions was assigning tags to tables and how that works in practice.", you can refer: https://cwiki.apache.org/confluence/display/RANGER/Tag+Based+Policies