ATLAS-2162 addressed this requirement - to add hyperlink based on attribute value. This should be available since HDP-2.6.3. ... View more

Atlas search APIs don't support multiple typeNames in a single call. There were few requests to support this - both for entity-types and classification-types. Atlas team will look into this; but there is no concrete date/release for this enhancement. Until then, you will have to make 2 basic-search API calls - one for hive_table and another for hive_column. As you said, full-text may not be a good choice. ... View more

@Laura Ngo - by default the query returns maximum of 100 results. To retrieve more results, please add query parameter "limit" in the REST call, as shown below (addition of query parameter "limit=1234"): curl -k -u admim:admin -H "Content-type:application/json"-X GET https://url:port/api/atlas/v2/earch/dsl?limit=1234&query=hive_column%20where%20__state%3D%27ACTIVE%27%20and%20qualifiedName%20like%20%27prod_%2A_data_lake%2A%27%20selct%20qualifiedName%2Cname%2C__guid | python -m json.tool > hive_column_prod_data_lake.json Please note that a maximum of 10,000 results will be returned even if limit specified is higher. Both default and the max limit can be configured with the following properties: atlas.search.defaultlimit=100 atlas.search.maxlimit=10000 ... View more

Is it possible to reference more than one Atlas tag in one Ranger policy via the Policy Conditions? Yes. Following can be used to access details of all tags associated with the resource being accessed: ctx.getAllTagTypes() <== returns names of all tags associated with the resource (Set<String>) ctx.getTagAttributes(tagType) <== returns attributes of given tag (Map<String, String>) ctx.getAttributeValue(tagType, attrName) <== returns value of attribute 'attrName' in tagType tag The usecase you describe seems to require access-control based on tenancy and the zone in which the data resides. Please consider the following approach: 1. Define a classification named 'DATA_ZONE', with one attribute named "name" - as shown below: "classificationDefs": [ { "name": "DATA_ZONE", "attributeDefs": [ { "name": "name", "typeName": "string" } ] } ] 2. Define one classification for each tenant. In your example, you already have 2 classifications "tenancy_xxx" and "tenancy_yyy". 3. Create one tag-based policy for each tenant. Per your example, you would create 2 policies - one for "tenancy_xxx" tag and another for "tenancy_yyy" tag. 4. In policy for each tenant, you can use conditions as shown below to allow/deny access to users/groups: ctx.getAttributeValue("DATA_ZONE", "name").equals("landing") ctx.getAttributeValue("DATA_ZONE", "name").equals("staging") ctx.getAttributeValue("DATA_ZONE", "name").equals("data_lake") ... View more

I was able to create a policy successfully with the command-line in your post. There should be some log in one of these files: xa_portal.log, catalina.out, most recent access_log*.log. Can you check again? This error could be due to incorrect JSON as well - if this is the cause, error details should be in catalina.out. ... View more

Which version of Ranger do you use? This looks like the issue fixed in https://issues.apache.org/jira/browse/RANGER-1175. @mehul.parikh ... View more

>> If we use different permissions (like create-database), which resource will we define it on ? We can't define it on the table level. There is no restriction on the permissions that can be specified on a specific resource. Following policies can be used for your usecases. Please review. 1. To permit creation of databases named like testdb*: resource: { database=testdb*; schema=*; table=* }; permission: [ create-database ] 2. To permit creation of schemas under database db1: resource: { database=db1; schema=*; table=* }; permission: [ create-schema ] 3. To permit creation of tables under database=db1; schema=schema1: resource: { database=db1; schema=schema1; table=* }; permission: [ create-table ] ... View more

The REST endpoint you used is for the older version of Ranger, which does not handle recent additions like row-filter/column masking policies. Please use REST endpoint at service/public/v2/api/policy (note "/v2" in the path). For more details on the API, please see wiki at https://cwiki.apache.org/confluence/display/RANGER/REST+APIs+for+Service+Definition%2C+Service+and+Policy+Management If it helps to look at the Java source for the REST API - it is available is at https://github.com/apache/incubator-ranger/blob/master/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java. ... View more

Business Catalog feature, which deals with Taxonomy, is in tech-preview in HDP-2.5 release. Hence the feature is disabled by default. To enable this feature, add the following configuration to Atlas server configuration (atlas-application-properties) and restart Atlas server: atlas.feature.taxonomy.enable=true Please note that this feature is in tech-preview; GA version may not support the taxonomy data created in the tech-preview release. ... View more

@Neeraj - the username should be at least 2 character long. Hence Ranger Admin failed to accept names with a singe character - like "a" or "b". The issue faced by @terry@hortonworks.com is HDP-2.2 specific, where Ranger requires the username should begin with an alphabet. @terry@hortonworks.com - can you please confirm if you see this in HDP-2.2 and if starting a username with an alphabet works? ... View more