Support Questions

arturbrandys2 · ‎10-10-2023

Hello.

Is there a way in ranger policies to add permissions for users that are only in both of domain group1 and domain group2 (logical AND between groups). Because there is always a logical OR between users and groups in ranger policies??

MattWho · ‎10-10-2023

@arturbrandys2

Policies are defined by the end services utilizing Ranger. Ranger also does not make authorization decisions. Each service runs a client that downloads the latest policy definitions json from Ranger for its specific service. The end service then uses those policy definitions to handle authorizations for the service.

Ranger does not offer a method to define an "and" relationship between multiple groups. Even if this was possible, the end services would need to also be modified to handle that association when making access decisions based on the downloaded json.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

MattWho · ‎10-10-2023

@arturbrandys2

Policies are defined by the end services utilizing Ranger. Ranger also does not make authorization decisions. Each service runs a client that downloads the latest policy definitions json from Ranger for its specific service. The end service then uses those policy definitions to handle authorizations for the service.

Ranger does not offer a method to define an "and" relationship between multiple groups. Even if this was possible, the end services would need to also be modified to handle that association when making access decisions based on the downloaded json.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Cloudera Community

Support Questions

Ranger policy - logical AND between domain groups