Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How does tag-based policy work if a tag is assigned to column?

Highlighted

How does tag-based policy work if a tag is assigned to column?

New Contributor

Hi,

I created a tag "mk_test_liczba" in Atlas. At first I assigned this tag to hive table named "mk_joint_tag" and to one of the columns

(within same table) named "liczba" .

Then I prepared a tag-based policy in Ranger that had a deny condition for select and update.

I run a select query on above mentioned table and the access was denied - noted as success.

But then I deleted the tag from whole table, leaving the tag assigned to one of the columns. I didn't modify the policy in Ranger.

I run a query "select kod from mk_joint_tag" and access was still denied. (column "kod" wasn't assigned to the tag)

Is that a proper behaviour ? Or is there something wrong with configuration?

I know that a resource based policy can grant and deny access to selected columns. So if I had deny condition on one of the columns within a table I still would be able to run a query on other columns.