Support Questions
Find answers, ask questions, and share your expertise

How does the deny conditon work?

New Contributor

Hi, people.

 

I just started using Apache Ranger 1.2.0 with Azure HDInsight Hadoop.

 

Then, I try using Ranger's permission control, but it doesn't work as I want.

 

I know the control works under this flow:https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.0/authorization-ranger/content/apache_ranger_acc... so that, the deny condition is prior to allow condition.

 

I made the policy which have two conditons; Allow Conditon is the group who includes me and Deny Conditon is just me.

And, only the polcy has the access to table A.

 

I guess the group user except me can access(SELECT) the table and I can't, but acutually both can.

 

Is there wrong point? my thought or settings?

thanks

3 REPLIES 3

Cloudera Employee

Hi @noway,

 

As mentioned in the documentation, did you ensure you have enabled deny conditions for policies? Because the deny condition in policies is disabled by default and must be enabled for use.

  1. From Ambari>Ranger>Configs>Advanced>Custom ranger-admin-site, add ranger.servicedef.enableDenyAndExceptionsInPolicies=true .
  2. Restart Ranger.

If the above is already done, could you try to run the SELECT query on the table with your user account and go to Ranger Admin Audit's Access tab, filter with your user name and validate which Policy granted you the access for the operation (You can identify the Policy ID in the audit entry).


Also, would you be able to share a screenshot of the policy which you had created?

 

Thanks,

Prashanth Vishnu

New Contributor

Hi, pvshnu

 

Thank you for replying my question.

 

I heard that the deny conditon is enabled by default when the HDP 3.0 and more is used.

(Our using HDP version is 3.1.0)

 

I try to do it.

 

Thanks.

Cloudera Employee

Hi @noway ,


Did you try to enable deny conditions in Policies with the steps shared and retry? Can you confirm if it worked as intended?

 

Thanks,
Prashanth Vishnu