[jira] [Commented] (RANGER-5202) Tag deny policy is not getting enforced on scan table command for hbase

Fri, 25 Apr 2025 17:23:03 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-5202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17947436#comment-17947436
 ] 

Madhan Neethiraj commented on RANGER-5202:
------------------------------------------

[~dineshkumar-yadav]  - scan returns all columns on which the user has read 
access; it will not fail if the user doesn't have permission on a subset of 
columns in the table being scanned. Looking at the usecase detailed in the 
description, the user has:
 * read access to {{prof_data}} column-family
 * no access to {{personal_data}} column-family

Hence, the scan at step #8 did not fail; and it returned 0 rows since there is 
no data in {{prof_data}} column-famil. This is by design.

 

Note that scanning for only {{personal_data}} column-family (command below) 
would fail with access-denied error.

 
{code:java}
scan 'emp', { COLUMNS => 'personal_data' }
{code}
 

Also, if the table had only personal_data column family, {{scan 'emp'}} would 
fail with access-denied error.

> Tag deny policy is not getting enforced on scan table command for hbase
> -----------------------------------------------------------------------
>
>                 Key: RANGER-5202
>                 URL: https://issues.apache.org/jira/browse/RANGER-5202
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 3.0.0
>            Reporter: Dineshkumar Yadav
>            Assignee: Dineshkumar Yadav
>            Priority: Major
>
> Steps
> 1.kinit with hbase user
> 2.Create a table and insert data by logging into hbase shell
> {code:java}
> hbase shell
> create 'emp','personal_data','prof_data'
> put 'emp', '1', 'personal_data:name', 'Anu'
> put 'emp', '1', 'personal_data:SSN', '11111'{code}
> 3.Create a tag "testtag1" in atlas and assign it to the hbase table
> 4.Add systest in 'all - table, column-family, column' policy
> {code:java}
> resource
>      HBase Table : *
>      HBase Column-family : *
>      HBase Column : * 
> allow policyitem 
>      systest :Read{code}
> 6.Run the scan command he will be allowed
> {code:java}
> hbase:002:0> scan 'emp';
> ROW  COLUMN+CELL
>  1 column=personal_data:SSN, timestamp=2025-03-17T12:53:33.654, value=11111
>  1 column=personal_data:name, timestamp=2025-03-17T12:53:25.128, value=Anu
> 1 row(s)
> Took 0.8628 seconds{code}
> 7.Create a tag deny policy for systest
> {code:java}
> resource
>      TAG : testtag1
> deny policyitem 
>      systest :hbase:read, hbase:write, hbase:create{code}
> 8.Run the scan command again
> {code:java}
> hbase:007:0> scan 'emp';
> ROW  COLUMN+CELL
> 0 row(s)
> Took 0.0204 seconds{code}
> The user should be denied due to tag policy.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to