Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How does the deny conditon work?

avatar
New Contributor

Hi, people.

 

I just started using Apache Ranger 1.2.0 with Azure HDInsight Hadoop.

 

Then, I try using Ranger's permission control, but it doesn't work as I want.

 

I know the control works under this flow:https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.0/authorization-ranger/content/apache_ranger_acc... so that, the deny condition is prior to allow condition.

 

I made the policy which have two conditons; Allow Conditon is the group who includes me and Deny Conditon is just me.

And, only the polcy has the access to table A.

 

I guess the group user except me can access(SELECT) the table and I can't, but acutually both can.

 

Is there wrong point? my thought or settings?

thanks

3 REPLIES 3

avatar
Rising Star

Hi @noway,

 

As mentioned in the documentation, did you ensure you have enabled deny conditions for policies? Because the deny condition in policies is disabled by default and must be enabled for use.

  1. From Ambari>Ranger>Configs>Advanced>Custom ranger-admin-site, add ranger.servicedef.enableDenyAndExceptionsInPolicies=true .
  2. Restart Ranger.

If the above is already done, could you try to run the SELECT query on the table with your user account and go to Ranger Admin Audit's Access tab, filter with your user name and validate which Policy granted you the access for the operation (You can identify the Policy ID in the audit entry).


Also, would you be able to share a screenshot of the policy which you had created?

 

Thanks,

Prashanth Vishnu

avatar
New Contributor

Hi, pvshnu

 

Thank you for replying my question.

 

I heard that the deny conditon is enabled by default when the HDP 3.0 and more is used.

(Our using HDP version is 3.1.0)

 

I try to do it.

 

Thanks.

avatar
Rising Star

Hi @noway ,


Did you try to enable deny conditions in Policies with the steps shared and retry? Can you confirm if it worked as intended?

 

Thanks,
Prashanth Vishnu