Member since
09-29-2015
36
Posts
26
Kudos Received
10
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1024 | 11-07-2018 12:45 AM | |
635 | 11-07-2018 12:22 AM | |
2072 | 03-15-2018 03:55 PM | |
2266 | 02-27-2018 09:51 PM | |
1936 | 12-29-2016 06:50 PM |
11-07-2018
12:54 AM
This is likely to be caused by missing atlas.war file in directory /usr/hdp/current/atlas-server/server/atlas/webapp. Can you please verify that this file exists?
... View more
11-07-2018
12:48 AM
For HDP-3.x, HBase table name is 'atlas_janus'.
... View more
11-07-2018
12:45 AM
1 Kudo
ATLAS-2162 addressed this requirement - to add hyperlink based on attribute value. This should be available since HDP-2.6.3.
... View more
11-07-2018
12:26 AM
@meirs84 - can you please add details of the API call and the error received?
... View more
11-07-2018
12:22 AM
Atlas search APIs don't support multiple typeNames in a single call. There were few requests to support this - both for entity-types and classification-types. Atlas team will look into this; but there is no concrete date/release for this enhancement. Until then, you will have to make 2 basic-search API calls - one for hive_table and another for hive_column. As you said, full-text may not be a good choice.
... View more
03-15-2018
03:55 PM
2 Kudos
@Laura Ngo - by default the query returns maximum of 100 results. To retrieve more results, please add query parameter "limit" in the REST call, as shown below (addition of query parameter "limit=1234"): curl -k -u admim:admin -H "Content-type:application/json"-X GET https://url:port/api/atlas/v2/earch/dsl?limit=1234&query=hive_column%20where%20__state%3D%27ACTIVE%27%20and%20qualifiedName%20like%20%27prod_%2A_data_lake%2A%27%20selct%20qualifiedName%2Cname%2C__guid | python -m json.tool > hive_column_prod_data_lake.json Please note that a maximum of 10,000 results will be returned even if limit specified is higher. Both default and the max limit can be configured with the following properties: atlas.search.defaultlimit=100 atlas.search.maxlimit=10000
... View more
03-08-2018
06:12 PM
1 Kudo
@Petrina Zheng, @Jayaraman Palaniappan - the failure in hard-delete was due to ATLAS-2169. Fix for this issue will be included in the next HDP 2.6-maint release (2.6.5). However, please note that hard-delete is not a recommended configuration for production deployment - given Atlas's role in governance domain.
... View more
03-05-2018
05:55 PM
@Laura Ngo - the policy contents look right. Audit log shows the tag name in lower case - "data_zone". Please ensure that the tag name used in the condition is same as the one in Atlas.
... View more
03-05-2018
01:32 AM
@Laura Ngo - I was able to reproduce the issue. The expression you entered is indeed correct: ctx.getAttributeValue("DATA_ZONE","name").equals("data_lake") However, when the policy is saved from UI, the entered expression is broken into multiple strings, causing the evaluation to fail at runtime. This is likely an issue with Ranger UI. I was able to get around this issue by updating the policies via REST API; if possible, please update the policies via REST API. I will update on the UI issue shortly.
... View more
03-04-2018
11:11 PM
@Laura Ngo - can you verify that no other policy allowed select access on footmart database for holger_gov (please look at Ranger audit log)?
... View more
02-27-2018
09:51 PM
1 Kudo
Is it possible to reference more than one Atlas tag in one Ranger policy via the Policy Conditions? Yes. Following can be used to access details of all tags associated with the resource being accessed: ctx.getAllTagTypes() <== returns names of all tags associated with the resource (Set<String>)
ctx.getTagAttributes(tagType) <== returns attributes of given tag (Map<String, String>)
ctx.getAttributeValue(tagType, attrName) <== returns value of attribute 'attrName' in tagType tag The usecase you describe seems to require access-control based on tenancy and the zone in which the data resides. Please consider the following approach: 1. Define a classification named 'DATA_ZONE', with one attribute named "name" - as shown below: "classificationDefs": [
{
"name": "DATA_ZONE",
"attributeDefs": [
{
"name": "name",
"typeName": "string"
}
]
}
] 2. Define one classification for each tenant. In your example, you already have 2 classifications "tenancy_xxx" and "tenancy_yyy". 3. Create one tag-based policy for each tenant. Per your example, you would create 2 policies - one for "tenancy_xxx" tag and another for "tenancy_yyy" tag. 4. In policy for each tenant, you can use conditions as shown below to allow/deny access to users/groups: ctx.getAttributeValue("DATA_ZONE", "name").equals("landing") ctx.getAttributeValue("DATA_ZONE", "name").equals("staging") ctx.getAttributeValue("DATA_ZONE", "name").equals("data_lake")
... View more
04-12-2017
12:08 AM
@Sebastien WAFFLART - this error seems to be hit during Atlas startup. And value of capacity/required in the error message are too small - 0 and 1: "com.esotericsoftware.kryo.KryoException: Buffer too small: capacity: 0, required: 1". I guess something else might be going on here. Can you attach Atlas log file to troubleshoot this further?
... View more
03-31-2017
07:31 AM
Export/import feature helps to copy Atlas data from one instance to another. However, it won't replace the need for backup.
... View more
03-31-2017
07:18 AM
1 Kudo
In addition to HBase tables, Atlas data is stored in 3 Solr collections as well: vertex_index, edge_index and fulltext_index.These need to be backed up as well.
... View more
02-15-2017
10:19 PM
I think Hive folks should look into this one. CC: @Eugene Koifman, @Wei Zheng
... View more
12-29-2016
06:50 PM
1 Kudo
I was able to create a policy successfully with the command-line in your post. There should be some log in one of these files: xa_portal.log, catalina.out, most recent access_log*.log. Can you check again? This error could be due to incorrect JSON as well - if this is the cause, error details should be in catalina.out.
... View more
12-23-2016
08:08 PM
Can you take look at xa_portal.log to troubleshoot further? If you can send details of the REST API call made and the response, it can help find the root cause.
... View more
12-22-2016
08:11 PM
Fix in RANGER-1175 may not be present in the sandbox. Can you try the following workaround, to get the fix in the sandbox? 1. cd /usr/hdp/current/ranger-admin/ews 2. mv webapp/scripts/views/policies/RangerPolicyForm.js webapp/scripts/views/policies/RangerPolicyForm.js.saved 3. curl https://raw.githubusercontent.com/apache/incubator-ranger/ranger-0.6/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js > webapp/scripts/views/policies/RangerPolicyForm.js After this, please clear your browser cache and try. Hope this helps.
... View more
12-22-2016
02:27 AM
3 Kudos
Which version of Ranger do you use? This looks like the issue fixed in https://issues.apache.org/jira/browse/RANGER-1175. @mehul.parikh
... View more
12-18-2016
08:07 PM
1 Kudo
>> Hive view cannot be used to authorize using Ranger. This is not true. Ranger Hive policies don't distinguish between Hive tables and views. You can simply provide view name in Ranger policy instead of table name.
... View more
12-18-2016
07:59 PM
1 Kudo
if row-level filter/column-masking is enabled on a table for a user, that user will not be allowed to perform any update operations (like insert, delete) on the table. This is to prevent such users from updating rows/columns that they don't have permissions for.
... View more
12-02-2016
07:56 AM
>> If we use different permissions (like create-database), which resource will we define it on ? We can't define it on the table level. There is no restriction on the permissions that can be specified on a specific resource. Following policies can be used for your usecases. Please review. 1. To permit creation of databases named like testdb*:
resource: { database=testdb*; schema=*; table=* }; permission: [ create-database ] 2. To permit creation of schemas under database db1:
resource: { database=db1; schema=*; table=* }; permission: [ create-schema ] 3. To permit creation of tables under database=db1; schema=schema1:
resource: { database=db1; schema=schema1; table=* }; permission: [ create-table ]
... View more
12-01-2016
02:56 AM
1 Kudo
@Alexander Denissov if you would like to restrict users to perform 'create' only on higher level resources (like database/schema), consider using separate permissions - like create-database/create-schema, instead of generic 'create'. I think the notion of 'optional' resource is not yet defined precisely. Your usecase, of allowing only at higher-level resource, seems to be good candidate to allow optional resources to be empty. This would however require changes in a number of places - like policy-engine, policy-validation, etc. It will help if you can file a JIRA with details.
... View more
11-03-2016
04:54 PM
1 Kudo
Does Ranger audit log show PII tag? To troubleshoot further, can you share a screen shot of Ranger audit UI page showing audit logs generated for this query?
... View more
10-14-2016
03:47 AM
2 Kudos
The REST endpoint you used is for the older version of Ranger, which does not handle recent additions like row-filter/column masking policies. Please use REST endpoint at service/public/v2/api/policy (note "/v2" in the path). For more details on the API, please see wiki at https://cwiki.apache.org/confluence/display/RANGER/REST+APIs+for+Service+Definition%2C+Service+and+Policy+Management If it helps to look at the Java source for the REST API - it is available is at https://github.com/apache/incubator-ranger/blob/master/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java.
... View more
09-28-2016
09:39 PM
For HDP-2.3 or later, please use the REST API documented here: https://cwiki.apache.org/confluence/display/RANGER/REST+APIs+for+Service+Definition%2C+Service+and+Policy+Management
... View more
09-28-2016
09:38 PM
@Amit Kumar Agarwal If wildcards can be used to specify the tables (for example: "test*", "finance*"), it can make working with policies a little easier i.e. simpler than looking through a long list of tables. Ranger supports 2 wildcard characters "*" (0 or more characters) and "?" (single character).
... View more
09-28-2016
07:10 PM
1 Kudo
Business Catalog feature, which deals with Taxonomy, is in tech-preview in HDP-2.5 release. Hence the feature is disabled by default. To enable this feature, add the following configuration to Atlas server configuration (atlas-application-properties) and restart Atlas server: atlas.feature.taxonomy.enable=true Please note that this feature is in tech-preview; GA version may not support the taxonomy data created in the tech-preview release.
... View more
10-24-2015
05:33 AM
2 Kudos
@Neeraj - the username should be at least 2 character long. Hence Ranger Admin failed to accept names with a singe character - like "a" or "b". The issue faced by @terry@hortonworks.com is HDP-2.2 specific, where Ranger requires the username should begin with an alphabet. @terry@hortonworks.com - can you please confirm if you see this in HDP-2.2 and if starting a username with an alphabet works?
... View more