is it possible to restrict access to certain UDF (custom or built-in) in Ranger?
I have set the enableDenyAndExceptionsInPolicies option to true. Then I created new access policy to deny a particular user access to all UDFs (* as database, * as udf, user in deny condition, all permissions selected).
This worked ok and the user was denied when tried to run a select with a function.
But when I put a particular function to the UDF field, the user was able to run the function. I tried it with a built-in function (unix_timestamp) as well as with a custom created function, and the result was the same.
What can be wrong or what else do I have to set up?
Ranger is 0.7.0, Hive is 1.2.1000.
The RANGER-1631 issue is probably not related, as my problem is with evaluating the function name, not the database name, and it occurs when running the function, not when creating it.
I tried one more test:
I created an allow policy for select permission for the user with database=* and one particular UDF, and disabled all other policies for the user.
When this policy was disabled, the user could not run any UDFs.
When this policy was enabled, the user could run all UDFs, not just the one given in the policy.