Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger stacked policy evaluation with EXCLUDE switch

Labels:
avatar
author-rank jknulst author-rank
Super Collaborator

Created on ‎10-17-2016 10:29 PM - edited ‎08-19-2019 01:54 AM

Hi,

I have read the manual but I don't understand the behaviour of 2 policies I have regarding the same Hive table.

Policy 15 is a global allow policy on all Hive tables, all columns:

8639-screen-shot-2016-10-18-at-82358-am.png

then I have policy 31 like this:

8634-screen-shot-2016-10-18-at-121942-am.png

But whatever I try, user raj_ops still can run 'select * from employee' and get results.

8635-screen-shot-2016-10-18-at-122631-am.png

Policy 31 is not evaluated as a 'deny' on the resource. I know you can add explicit Deny Conditons to the hive service, and I will try that. But the question is what the EXCLUDE switch (after the Hive column* box ) is good for when it is not picked up.

2,210 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank jknulst author-rank
Super Collaborator

Created ‎10-18-2016 10:37 AM

For the moment I will not use this exclude switch because it behaves not as I (and my client) would expect. I will go for the Deny Conditions extension for the Hive service.

The exclude switch is confusing in that it seems to swap an allow into a deny, but it doesn't. It only excludes the resources from the policy

View solution in original post

2,098 Views
0 Kudos
7 REPLIES 7

avatar
author-rank dsharma author-rank
Guru

Created ‎10-18-2016 05:56 AM

you mentioned there is a global allow policy , can you please attach screenshot of that too

2,098 Views

avatar
author-rank jknulst author-rank
Super Collaborator

Created ‎10-18-2016 06:28 AM

@Deepak Sharma added in main question

2,098 Views
0 Kudos

avatar
author-rank dsharma author-rank
Guru

Created ‎10-18-2016 06:48 AM

@Jasper in policy 15 i can see you have added * resources for all and raj_ops is part of the user , so he is able to access all

2,098 Views

avatar
author-rank jknulst author-rank
Super Collaborator

Created ‎10-18-2016 06:57 AM

@Deepak Sharma Yes, but I would expect that if 1 policy (15) says 'yes' and the other (31) says 'no', then it should be 'no' . As is stated in the schema in the manual

2,098 Views
0 Kudos

avatar
author-rank dsharma author-rank
Guru

Created ‎10-18-2016 08:11 AM

No @Jasper this will be the case when there is deny condition for raj_ops , then raj_ops will be denied from performing operation, but in current scenario you can see both are allow condition , in such case if any of the condtion match then it will be allowed , and even manual also says same !

2,098 Views

avatar
author-rank jknulst author-rank
Super Collaborator

Created ‎10-18-2016 10:37 AM

For the moment I will not use this exclude switch because it behaves not as I (and my client) would expect. I will go for the Deny Conditions extension for the Hive service.

The exclude switch is confusing in that it seems to swap an allow into a deny, but it doesn't. It only excludes the resources from the policy

2,098 Views
0 Kudos

avatar
author-rank jknulst author-rank
Super Collaborator

Created ‎10-18-2016 10:37 AM

For the moment I will not use this exclude switch because it behaves not as I (and my client) would expect. I will go for the Deny Conditions extension for the Hive service.

The exclude switch is confusing in that it seems to swap an allow into a deny, but it doesn't. It only excludes the resources from the policy

2,099 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements