Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger & Atlas Policy conflict

Ranger & Atlas Policy conflict

Super Guru

I have policy on ranger for user to have access to all fields in table. In atlas I associated a deny tag on a field within that table for same user. I run hive select on table and the Atlas tag policy is not enforced. is this expected functionality?

5 REPLIES 5

Re: Ranger & Atlas Policy conflict

New Contributor

Tag based policies should be defined in Ranger to apply security. Will you clarify if along with tag association in Atlas, do you have corresponding tag based policy in Ranger?

Re: Ranger & Atlas Policy conflict

Super Guru

@Pranav Vashisht I have tag based policy on the field which denies user access to field. However in ranger for same table and field I have user with full permission to table. these are two different policies.

Re: Ranger & Atlas Policy conflict

Hi @Sunile Manjee

Great question - I just recently tried this out so the answer is, the tag based policy "Deny Condition" will absolutely trump the resource based policy (below is my proof):

The table customer_data_flattened has one tag “PII” on the column “c_email_address”

8331-screen-shot-2016-10-07-at-100859-am.png

Resource Based Policy (#16): - the user john_doe and jane_doe has ALL permissions in Hive for database = default, table = customer_data_flattened, all columns

8332-screen-shot-2016-10-07-at-101631-am.png

Tag Based Policy (#13) – the user john_doe has a deny condition for the PII Tag for all Hive permissions

8333-screen-shot-2016-10-07-at-100711-am.png

When I run “SELECT * FROM customer_data_flattened LIMIT 100;” for the user john_doe (policy #16) should give me access but the tag based (policy #13) doesn’t allow it:

(notice policy #16 isn’t even shown because #13 denied the request) – policy #11 has to do with a different table

8334-screen-shot-2016-10-07-at-102144-am.png

Re: Ranger & Atlas Policy conflict

Contributor

is the hive repo associated with the tag service repo ? if it is not then the tag based policy may not take effect

Re: Ranger & Atlas Policy conflict

Contributor

Hi @Sunile Manjee,

The Tag policy flow states that once an access request comes in, for say Hive, the Hive service is scanned for any link to a tag based service. If found, all policies under the tag service will be scanned for the tag associated with the resources in the request.

There can be only 1 tag policy for a tag, and so the policy which matches the tag is scanned. If there is a deny policy item denying the user access to the tagged resource, the flow terminates and the access request is denied.

Like @Chethana Krishnakumar mentioned, You could check the association between Hive service and tag service.

Also, you could check if the Hive resource is actually tagged through Atlas properly.