Ranger tag permissions appear to not take effect in Atlas
Having problem where it appears that policy tags set in Ranger appear to not take effect in Atlas.
Roughly following the tutorial here (https://hortonworks.com/tutorial/tag-based-policies-with-apache-ranger-and-apache-atlas/section/2/#create-ranger-tag-based-policy), trying to create a tag policy for classifications created in Atlas.
Created a classification in Atlas for an hdfs_path entity
Then created a ranger tag for that Atlas PHI classification that only allows certain atlas actions for a user not the atlas admin user, in Service Manager > Tag Based Policies
In Service Manager > atlas Policies, I make an Atlas service that uses that tag
and disable the Ranger Atlas service policy related to allowing public access to Atlas
Yet logging into Atlas as admin (not the user specified in the Ranger tag), I can still search for and find atlas entities that have the PHI tag assigned to them as well as remove and (re)add the tag, evidenced in the Ranger audit logs...
I would think this should not be possible. I would expect the tags column to have the custom tag in it and for access by "admin" to have been denied.
As an HDFS example...
Despite the fact that the Ranger tag only specifies user hdfs, I can still access the HDFS location as user "admin". I notice several things about the Ranger audit shown below
- The "Name/Type" includes the Atlas classifications associated with the resource
- The tags column is empty
I interpret this to mean that 1) Ranger recognizes that the location is associated with some Atlas tags and 2) it does not see any tags for or against allowing the user "admin" to access that resource.
Can anyone with more Atlas+Ranger experience let me know what I am getting wrong here? Any debugging suggestions?
So first in the log4j settings enable tracing (log4j.properties)
TagSync:
LogLevel: INFOThen make sure theat after a tag is created in atlas via the UI that it propagates to the Ranger Database table called 'public.x_tag' or public.x_tag_def. You will see the tag first ends up on kafka and then tag sync adds it to ranger's database. Once you enable tracing the logs will show this and if it doesn't work it will show why not.
What's likely is that the service names in ranger do not match if you say the policy enforcement is not working and you may need to specify the correct qualified name in atlas when creating the classification
in Atlas creating the tag:
Notice the qualified name
Then back in ranger
What I noticed is that if the qualified name of the tag doesn't match that of the services created in ranger, the policies do not enforce. Unfortunately, it's nowhere in any documentation and I had to figure that out in the logs
- How can i disable ssl verification on ranger to elastic for audit?
- Apache ranger yarn plugin is not working as expected?
- Configure Spark 3 thrift server with Apache Ranger
- Ranger tag permissions appear to not take effect in Atlas
- How to set up apache ranger on apple macbook pro m1
- Error when building branch 2.3: Could not resolve dependencies for project org.apache.ranger:ranger-solr-plugin:jar
- Apache-ranger python library JSONDecoder error
- Apache Ranger compile failed at assembly stage
- unable to extract all users using ranger rest api user query
- Spark table and Ranger Row filtering
- LDAP limit user search on specific OUs
- REST API Level authorization with Apache Knox + Ranger
- How to migrate roles from one apache ranger instance to other instance?
- Add existing user to existing group apache ranger
- How to check status/health of Apache Ranger?
- Ranger is showing Hadoop-ACL used to grant access instead of Ranger-ACL
- Is it possible to integrate apache ranger/atlas with apache flink?
- "Host 'xxxx is not allowed to connect to this MySQL server" when installing Ranger DBs via Ambari
- Does Ranger incremental AD sync overwrite each time or leave previously synced users (eg. if filter changes)? Unix users recreated?
- Using -update option in java distcp
- Hive query failed in Tez engine but runing in MR mode
- Hadoop Hbase Access denied exception
- Standalone spark cluster Authorization with Ranger
- Ranger policies don't work for HDFS NFS access
- What determines what user / groups Ranger can see when setting policies?
- What is the default Ranger admin username and password for hortonworks/sandbox-hdp:3.0.1
- apache ranger with hive plugin - what objects need to be persisted
- HDFS encryption: User:hdfs not allowed to do 'DECRYPT_EEK' on 'hdfskey'
- Hadoop-Apache Ranger: StackOverflowError on namenode restart
- How to add users to Apache Ranger via REST API