I just started using Apache Ranger 1.2.0 with Azure HDInsight Hadoop.
Then, I try using Ranger's permission control, but it doesn't work as I want.
I know the control works under this flow:https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.0/authorization-ranger/content/apache_ranger_acc... so that, the deny condition is prior to allow condition.
I made the policy which have two conditons; Allow Conditon is the group who includes me and Deny Conditon is just me.
And, only the polcy has the access to table A.
I guess the group user except me can access(SELECT) the table and I can't, but acutually both can.
Is there wrong point? my thought or settings?
As mentioned in the documentation, did you ensure you have enabled deny conditions for policies? Because the deny condition in policies is disabled by default and must be enabled for use.
If the above is already done, could you try to run the SELECT query on the table with your user account and go to Ranger Admin Audit's Access tab, filter with your user name and validate which Policy granted you the access for the operation (You can identify the Policy ID in the audit entry).
Also, would you be able to share a screenshot of the policy which you had created?
Thank you for replying my question.
I heard that the deny conditon is enabled by default when the HDP 3.0 and more is used.
(Our using HDP version is 3.1.0)
I try to do it.