Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger: combining tag policies

Highlighted

Ranger: combining tag policies

New Contributor

I have two sets of tags: one for location (US or international) , one for privacy (PII or not).

How can I enforce both sets for tag based policies in Ranger ? Say I create a policy to allow access to "US" tag for user 1, and to "International" for user 2.

I have data tagged as "PII" under both "US" and "International". Now, If I give user 1 access to "PII" tagged data, it will also get access to "International" data tagged as "PII", which I don't want. How can I enforce in Ranger that both the location policy and privacy policy have to be true in order to allow access. As I see it, Ranger will allow access as soon as one of the policies allow.

I know I can combine the tag sets (e.g. "US PII", "US", "International PII", "International"). But this is not scalable. If the number of locations grows, and other sets of tags are added (regulatory, classifications, etc), it will be impossible to maintain the combinations. I need a logical AND in policy evaluation (e.g. if location tag matches AND privacy matches then allow), whereas currently it looks like the Ranger evaluation flow does an OR (e.g. if any location tag matches or privacy tag matches then allow).

Any ideas ?

1 REPLY 1

Re: Ranger: combining tag policies

@robert cheung

Deny policies take precedence over allow policies. So, in your scenario above, User 1 should not have access to data tagged as both, "International" and "PII".

Take a look at the flow chart below on the sequence of policy evaluation.

64986-ranger-policy-evaluation-flow-with-tags.png

Don't have an account?
Coming from Hortonworks? Activate your account here