Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Atlas tag based policy not working on Sandbox 2.5 TP

avatar
Master Collaborator

I tried to follow the tutorial on the tag based policy in Atlas, but can't seem to make it work. Actually the tutorial itself seems to be misleading with the tag based policy.

In part 4, although it looks like the access is granted through the tag based policy by excluding admin user in deny access, it is not. Even I disable that tag based policy in Ranger, the access for admin user is still there. It is because the original 2 resource based policies are enabled which grant admin user all access. So with or without the tag based policy, the admin use always has access to the hive table.

I also tried is to modify the tag based policy in the tutorial so it blocks access for admin user by put the following in the deny conditions. And admin use still has access

Select Group – none
Select User – admin
Component Permission – Hive – Select
You can select the component permission through this popup:

All resourced based policy worked as expected and the problem only exist with tag related policy.

After some digging in Ranger audit, it seems that when tag related policy is created/changed, they were not synced to plug in, not sure if that is the reason behind the failure

6379-policy-change.png

You can see the sync only happened with resource based policies

6380-plugin-sync.png

1 ACCEPTED SOLUTION

avatar
Master Collaborator

this is addressed in the latest sandbox, no an issue any more

View solution in original post

5 REPLIES 5

avatar
Rising Star

Please provide a screenshot of the Audit panel -> Access tab. You can check which policy is firing and allowing access for admin from the Audit screen in the Access tab. FYI, there is no separate plugin sync for tag based and resource based policies - if you have an entry for the hiveServer2 under plugin id column after you updated the policy that means all policies are synced.

avatar
Master Collaborator

I always got "Unable to connect to Audit store !!" error in Audit=>Access tab. Nothing in that tab

avatar
Super Collaborator

@Qi Wang, let me check from my end, will keep u posted as early as possible

avatar
Master Collaborator

I download the HDP2.5 TP Sandbox in early July. Not sure if there is newer version out after that.

avatar
Master Collaborator

this is addressed in the latest sandbox, no an issue any more