Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Atlas tag based policy not working on Sandbox 2.5 TP

Labels:
avatar
author-rank qiwang
Master Collaborator

Created on ‎08-05-2016 01:54 AM - edited ‎08-18-2019 04:16 AM

I tried to follow the tutorial on the tag based policy in Atlas, but can't seem to make it work. Actually the tutorial itself seems to be misleading with the tag based policy.

In part 4, although it looks like the access is granted through the tag based policy by excluding admin user in deny access, it is not. Even I disable that tag based policy in Ranger, the access for admin user is still there. It is because the original 2 resource based policies are enabled which grant admin user all access. So with or without the tag based policy, the admin use always has access to the hive table.

I also tried is to modify the tag based policy in the tutorial so it blocks access for admin user by put the following in the deny conditions. And admin use still has access

Select Group – none
Select User – admin
Component Permission – Hive – Select
You can select the component permission through this popup:

All resourced based policy worked as expected and the problem only exist with tag related policy.

After some digging in Ranger audit, it seems that when tag related policy is created/changed, they were not synced to plug in, not sure if that is the reason behind the failure

6379-policy-change.png

You can see the sync only happened with resource based policies

6380-plugin-sync.png

2,722 Views
0
1 ACCEPTED SOLUTION

avatar
author-rank qiwang
Master Collaborator

Created ‎11-02-2016 02:36 PM

this is addressed in the latest sandbox, no an issue any more

View solution in original post

2,352 Views
0
5 REPLIES 5

avatar
author-rank svenkat
Rising Star

Created ‎08-05-2016 04:09 AM

Please provide a screenshot of the Audit panel -> Access tab. You can check which policy is firing and allowing access for admin from the Audit screen in the Access tab. FYI, there is no separate plugin sync for tag based and resource based policies - if you have an entry for the hiveServer2 under plugin id column after you updated the policy that means all policies are synced.

2,352 Views
0 Kudos

avatar
author-rank qiwang
Master Collaborator

Created ‎08-05-2016 06:33 PM

I always got "Unable to connect to Audit store !!" error in Audit=>Access tab. Nothing in that tab

2,352 Views
0 Kudos

avatar
author-rank mrizvi
Super Collaborator

Created ‎08-05-2016 11:06 PM

@Qi Wang, let me check from my end, will keep u posted as early as possible

2,352 Views
0 Kudos

avatar
author-rank qiwang
Master Collaborator

Created ‎08-08-2016 02:21 AM

I download the HDP2.5 TP Sandbox in early July. Not sure if there is newer version out after that.

2,352 Views
0 Kudos

avatar
author-rank qiwang
Master Collaborator

Created ‎11-02-2016 02:36 PM

this is addressed in the latest sandbox, no an issue any more

2,353 Views
0
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements