I tried to follow the tutorial on the tag based policy in Atlas, but can't seem to make it work. Actually the tutorial itself seems to be misleading with the tag based policy.
In part 4, although it looks like the access is granted through the tag based policy by excluding admin user in deny access, it is not. Even I disable that tag based policy in Ranger, the access for admin user is still there. It is because the original 2 resource based policies are enabled which grant admin user all access. So with or without the tag based policy, the admin use always has access to the hive table.
I also tried is to modify the tag based policy in the tutorial so it blocks access for admin user by put the following in the deny conditions. And admin use still has access
Select Group – none Select User – admin Component Permission – Hive – Select You can select the component permission through this popup:
All resourced based policy worked as expected and the problem only exist with tag related policy.
After some digging in Ranger audit, it seems that when tag related policy is created/changed, they were not synced to plug in, not sure if that is the reason behind the failure
You can see the sync only happened with resource based policies
Please provide a screenshot of the Audit panel -> Access tab. You can check which policy is firing and allowing access for admin from the Audit screen in the Access tab. FYI, there is no separate plugin sync for tag based and resource based policies - if you have an entry for the hiveServer2 under plugin id column after you updated the policy that means all policies are synced.
I always got "Unable to connect to Audit store !!" error in Audit=>Access tab. Nothing in that tab
I download the HDP2.5 TP Sandbox in early July. Not sure if there is newer version out after that.