I have policy on ranger for user to have access to all fields in table. In atlas I associated a deny tag on a field within that table for same user. I run hive select on table and the Atlas tag policy is not enforced. is this expected functionality?
Tag based policies should be defined in Ranger to apply security. Will you clarify if along with tag association in Atlas, do you have corresponding tag based policy in Ranger?
@Pranav Vashisht I have tag based policy on the field which denies user access to field. However in ranger for same table and field I have user with full permission to table. these are two different policies.
Great question - I just recently tried this out so the answer is, the tag based policy "Deny Condition" will absolutely trump the resource based policy (below is my proof):
The table customer_data_flattened has one tag “PII” on the column “c_email_address”
Resource Based Policy (#16): - the user john_doe and jane_doe has ALL permissions in Hive for database = default, table = customer_data_flattened, all columns
Tag Based Policy (#13) – the user john_doe has a deny condition for the PII Tag for all Hive permissions
When I run “SELECT * FROM customer_data_flattened LIMIT 100;” for the user john_doe (policy #16) should give me access but the tag based (policy #13) doesn’t allow it:
(notice policy #16 isn’t even shown because #13 denied the request) – policy #11 has to do with a different table
Hi @Sunile Manjee,
The Tag policy flow states that once an access request comes in, for say Hive, the Hive service is scanned for any link to a tag based service. If found, all policies under the tag service will be scanned for the tag associated with the resources in the request.
There can be only 1 tag policy for a tag, and so the policy which matches the tag is scanned. If there is a deny policy item denying the user access to the tagged resource, the flow terminates and the access request is denied.
Like @Chethana Krishnakumar mentioned, You could check the association between Hive service and tag service.
Also, you could check if the Hive resource is actually tagged through Atlas properly.