Tag based policies should be defined in Ranger to apply security. Will you clarify if along with tag association in Atlas, do you have corresponding tag based policy in Ranger?

@Pranav Vashisht I have tag based policy on the field which denies user access to field. However in ranger for same table and field I have user with full permission to table. these are two different policies.

Hi @Sunile Manjee

Great question - I just recently tried this out so the answer is, the tag based policy "Deny Condition" will absolutely trump the resource based policy (below is my proof):

The table customer_data_flattened has one tag “PII” on the column “c_email_address”

Resource Based Policy (#16): - the user john_doe and jane_doe has ALL permissions in Hive for database = default, table = customer_data_flattened, all columns

Tag Based Policy (#13) – the user john_doe has a deny condition for the PII Tag for all Hive permissions

When I run “SELECT * FROM customer_data_flattened LIMIT 100;” for the user john_doe (policy #16) should give me access but the tag based (policy #13) doesn’t allow it:

(notice policy #16 isn’t even shown because #13 denied the request) – policy #11 has to do with a different table

is the hive repo associated with the tag service repo ? if it is not then the tag based policy may not take effect

Hi @Sunile Manjee,

The Tag policy flow states that once an access request comes in, for say Hive, the Hive service is scanned for any link to a tag based service. If found, all policies under the tag service will be scanned for the tag associated with the resources in the request.

There can be only 1 tag policy for a tag, and so the policy which matches the tag is scanned. If there is a deny policy item denying the user access to the tagged resource, the flow terminates and the access request is denied.

Like @Chethana Krishnakumar mentioned, You could check the association between Hive service and tag service.

Also, you could check if the Hive resource is actually tagged through Atlas properly.