Support Questions

noway · ‎09-02-2021

Hi, people.

I just started using Apache Ranger 1.2.0 with Azure HDInsight Hadoop.

Then, I try using Ranger's permission control, but it doesn't work as I want.

I know the control works under this flow:https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.0/authorization-ranger/content/apache_ranger_acc... so that, the deny condition is prior to allow condition.

I made the policy which have two conditons; Allow Conditon is the group who includes me and Deny Conditon is just me.

And, only the polcy has the access to table A.

I guess the group user except me can access(SELECT) the table and I can't, but acutually both can.

Is there wrong point? my thought or settings?

thanks

pvishnu · ‎09-04-2021

Hi @noway,

As mentioned in the documentation, did you ensure you have enabled deny conditions for policies? Because the deny condition in policies is disabled by default and must be enabled for use.

From Ambari>Ranger>Configs>Advanced>Custom ranger-admin-site, add ranger.servicedef.enableDenyAndExceptionsInPolicies=true .
Restart Ranger.

If the above is already done, could you try to run the SELECT query on the table with your user account and go to Ranger Admin Audit's Access tab, filter with your user name and validate which Policy granted you the access for the operation (You can identify the Policy ID in the audit entry).

Also, would you be able to share a screenshot of the policy which you had created?

Thanks,

Prashanth Vishnu

noway · ‎09-06-2021

Hi, pvshnu

Thank you for replying my question.

I heard that the deny conditon is enabled by default when the HDP 3.0 and more is used.

(Our using HDP version is 3.1.0)

I try to do it.

Thanks.

pvishnu · ‎09-15-2021

Hi @noway ,

Did you try to enable deny conditions in Policies with the steps shared and retry? Can you confirm if it worked as intended?

Thanks,
Prashanth Vishnu

Cloudera Community

Support Questions

How does the deny conditon work?