Support Questions

Find answers, ask questions, and share your expertise

How to grant user access to create tag based policies in ranger?

avatar
Explorer

Hi,

 

I want to grant a set of users access to add tag based policies in ranger. I have adde the users to data steward role which grants ranger/atlas admin access but still they get a access denied when create a tag based access policy. Creating resource based policies is working for them.

 

Ideally we want to grant them permissions to add tag based policies.

 

We use CDP public cloud 7.2.12 in AWS.

 

Any pointers are welcome. Thanks.

2 ACCEPTED SOLUTIONS

avatar
Explorer

Granting data steward role has fixed the issue. May be it was just a sync issue. However our requirement is to grant access to only tag based policies and not on resource based policies.

View solution in original post

avatar
Master Collaborator

@RajeshReddy 

 

for tag based policies you can refer to https://docs.cloudera.com/runtime/7.2.10/security-ranger-authorization/topics/security-ranger-tag-ba...

 

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

6 REPLIES 6

avatar
Guru

Hello @RajeshReddy ,

DataSteward role would usually grant “environments/adminRanger” permission which makes user Ranger and Atlas admin. This would suffice to create a tag based policy. Can we get more info on the error you are getting? Any screenshot or error messages would help us greatly to help you further.

Thanks.

avatar
Explorer

@VR46 Below is the error. The requirement is to grant the user access to only create tag based policies and deny creating resource based policies. But the result is opposite right now. Cant see any exception in ranger logs.

 

ranger-tag.PNG

avatar
Explorer

Granting data steward role has fixed the issue. May be it was just a sync issue. However our requirement is to grant access to only tag based policies and not on resource based policies.

avatar
Master Collaborator

@RajeshReddy 

 

Can you please give a try with changing the role to "environment admin"?

avatar
Explorer

This is not what we want to do.

avatar
Master Collaborator

@RajeshReddy 

 

for tag based policies you can refer to https://docs.cloudera.com/runtime/7.2.10/security-ranger-authorization/topics/security-ranger-tag-ba...

 

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.