Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

HDP 2.5 Ranger dont have "Deny" or "Policy Condition"

Solved Go to solution

HDP 2.5 Ranger dont have "Deny" or "Policy Condition"

Contributor

Hi,

When I login in the Sandbox 2.5 (VMWare).

Ranger don't contain any option for "Deny" or "Policy Condition" only through "Tag based..".

In the documentation a screendump and description is showed with Hive and "Deny" condition.

Link: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/about_ranger_policies.h...

Questions

1) Is there anything that which need to be enable to get this to work?

2) Is "Policy Condition" possible in Resource-Based Policy or only in "Tag based.."

/ Anders

8836-untitled.png

1 ACCEPTED SOLUTION

Accepted Solutions

Re: HDP 2.5 Ranger dont have "Deny" or "Policy Condition"

Contributor

There are two types of policies in Ranger - resource based policies and tag based policies. The Policy Conditions only apply to tag based policies. If you go to the Ranger Admin UI and click on Access Manager > Tag Based Policies then click on your tag service you'll be able to add a tag based policy with the Policy Conditions you require. There's more information here: Tag Based Policies

4 REPLIES 4

Re: HDP 2.5 Ranger dont have "Deny" or "Policy Condition"

Contributor

@Anders Boje Larsen Deny policies are only enabled for service definitions that have property enableDenyAndExceptionsInPolicies = true and are off by default for all services. You'll need to update the service definitions for the services you want deny policies for. This page has the required information: Deny-conditions and excludes in Ranger policies

Re: HDP 2.5 Ranger dont have "Deny" or "Policy Condition"

Contributor

Thx @Terry Stebbens, would this also enable "Policy conditions" option?

8806-capture.png

Re: HDP 2.5 Ranger dont have "Deny" or "Policy Condition"

Contributor

There are two types of policies in Ranger - resource based policies and tag based policies. The Policy Conditions only apply to tag based policies. If you go to the Ranger Admin UI and click on Access Manager > Tag Based Policies then click on your tag service you'll be able to add a tag based policy with the Policy Conditions you require. There's more information here: Tag Based Policies

Re: HDP 2.5 Ranger dont have "Deny" or "Policy Condition"

Contributor

Okay.. Was hoping this feature could be or will be avalible in Resource Based. One case could be data in HDFS which only should be allowed to acces data based on location or a time perioed.

Don't have an account?
Coming from Hortonworks? Activate your account here