Support Questions
Find answers, ask questions, and share your expertise

Ranger & Atlas Policy conflict

Super Guru

I have policy on ranger for user to have access to all fields in table. In atlas I associated a deny tag on a field within that table for same user. I run hive select on table and the Atlas tag policy is not enforced. is this expected functionality?

5 REPLIES 5

New Contributor

Tag based policies should be defined in Ranger to apply security. Will you clarify if along with tag association in Atlas, do you have corresponding tag based policy in Ranger?

Super Guru

@Pranav Vashisht I have tag based policy on the field which denies user access to field. However in ranger for same table and field I have user with full permission to table. these are two different policies.

Hi @Sunile Manjee

Great question - I just recently tried this out so the answer is, the tag based policy "Deny Condition" will absolutely trump the resource based policy (below is my proof):

The table customer_data_flattened has one tag “PII” on the column “c_email_address”

8331-screen-shot-2016-10-07-at-100859-am.png

Resource Based Policy (#16): - the user john_doe and jane_doe has ALL permissions in Hive for database = default, table = customer_data_flattened, all columns

8332-screen-shot-2016-10-07-at-101631-am.png

Tag Based Policy (#13) – the user john_doe has a deny condition for the PII Tag for all Hive permissions

8333-screen-shot-2016-10-07-at-100711-am.png

When I run “SELECT * FROM customer_data_flattened LIMIT 100;” for the user john_doe (policy #16) should give me access but the tag based (policy #13) doesn’t allow it:

(notice policy #16 isn’t even shown because #13 denied the request) – policy #11 has to do with a different table

8334-screen-shot-2016-10-07-at-102144-am.png

Contributor

is the hive repo associated with the tag service repo ? if it is not then the tag based policy may not take effect

Contributor

Hi @Sunile Manjee,

The Tag policy flow states that once an access request comes in, for say Hive, the Hive service is scanned for any link to a tag based service. If found, all policies under the tag service will be scanned for the tag associated with the resources in the request.

There can be only 1 tag policy for a tag, and so the policy which matches the tag is scanned. If there is a deny policy item denying the user access to the tagged resource, the flow terminates and the access request is denied.

Like @Chethana Krishnakumar mentioned, You could check the association between Hive service and tag service.

Also, you could check if the Hive resource is actually tagged through Atlas properly.