Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger policy - logical AND between domain groups

Labels:
avatar
author-rank arturbrandys2
New Contributor

Created ‎10-10-2023 06:55 AM

Hello.

Is there a way in ranger policies to  add permissions for users that are only in both of domain group1 and domain group2 (logical AND between groups). Because there is always a logical OR between users and groups in ranger policies??

624 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎10-10-2023 12:15 PM

@arturbrandys2 

Policies are defined by the end services utilizing Ranger.  Ranger also does not make authorization decisions.  Each service runs a client that downloads the latest policy definitions json from Ranger for its specific service.  The end service then uses those policy definitions to handle authorizations for the service.  

Ranger does not offer a method to define an "and" relationship between multiple groups.  Even if this was possible, the end services would need to also be modified to handle that association when making access decisions based on the downloaded json.


If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

612 Views
0
1 REPLY 1

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎10-10-2023 12:15 PM

@arturbrandys2 

Policies are defined by the end services utilizing Ranger.  Ranger also does not make authorization decisions.  Each service runs a client that downloads the latest policy definitions json from Ranger for its specific service.  The end service then uses those policy definitions to handle authorizations for the service.  

Ranger does not offer a method to define an "and" relationship between multiple groups.  Even if this was possible, the end services would need to also be modified to handle that association when making access decisions based on the downloaded json.


If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

613 Views
0
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements