I created a tag "mk_test_liczba" in Atlas. At first I assigned this tag to hive table named "mk_joint_tag" and to one of the columns
(within same table) named "liczba" .
Then I prepared a tag-based policy in Ranger that had a deny condition for select and update.
I run a select query on above mentioned table and the access was denied - noted as success.
But then I deleted the tag from whole table, leaving the tag assigned to one of the columns. I didn't modify the policy in Ranger.
I run a query "select kod from mk_joint_tag" and access was still denied. (column "kod" wasn't assigned to the tag)
Is that a proper behaviour ? Or is there something wrong with configuration?
I know that a resource based policy can grant and deny access to selected columns. So if I had deny condition on one of the columns within a table I still would be able to run a query on other columns.