[ https://issues.apache.org/jira/browse/RANGER-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Abhay Kulkarni updated RANGER-2066: ----------------------------------- Description: ERROR SCENARIO: Table emp has 2 column families: personal_data(name,SSN,age) ; prof_data(role, manager) Column emp/prof_data/role is tagged with OFFICIAL tag. Create following policies: Resource policy allows Read on table=*, ** column-family=*,column=* and Tag policy allows Read on OFFICIAL tag for a test_user. When test_user executes 'scan emp' command, two audit log records are created: 1. Resource: emp/personal_data Name / Type: column-family Allowed Policy allowing: Resource based policy 2. Resource: emp/prof_data Name / Type: column-family Allowed Policy allowing: TAG based policy for OFFICIAL tag prof_data column-family should not be authorized by a tagged role column in it. was: ERROR SCENARIO: Table emp has 2 col-families: personal_data(name,SSN,age) ; prof_data(role, manager) Column emp/prof_data/role is tagged with OFFICIAL tag. Create following policies: Resource policy allows Read on table=*, column-family=*,column=* and Tag policy allows Read on OFFICIAL tag for a test_user. When test_user executes 'scan emp' command, two audit log records are created: 1. Resource: emp/personal_data Name / Type: column-family Allowed Policy allowing: Resource based policy 2. Resource: emp/prof_data Name / Type: column-family Allowed Policy allowing: TAG based policy for OFFICIAL tag prof_data column-family should not be authorized by a tagged role column in it. > Hbase column family access is authorized by a tagged column in the column > family > -------------------------------------------------------------------------------- > > Key: RANGER-2066 > URL: https://issues.apache.org/jira/browse/RANGER-2066 > Project: Ranger > Issue Type: Bug > Components: Ranger > Affects Versions: 1.0.0, master > Reporter: Anuja Leekha > Priority: Major > Fix For: master, 1.1.0 > > > ERROR SCENARIO: > Table emp has 2 column families: personal_data(name,SSN,age) ; > prof_data(role, manager) > Column emp/prof_data/role is tagged with OFFICIAL tag. > Create following policies: > Resource policy allows Read on table=*, ** column-family=*,column=* and Tag > policy allows Read on OFFICIAL tag for a test_user. > When test_user executes 'scan emp' command, two audit log records are created: > 1. Resource: emp/personal_data > Name / Type: column-family > Allowed > Policy allowing: Resource based policy > 2. Resource: emp/prof_data > Name / Type: column-family > Allowed > Policy allowing: TAG based policy for OFFICIAL tag > prof_data column-family should not be authorized by a tagged role column in > it. -- This message was sent by Atlassian JIRA (v7.6.3#76005)