Bryan, Ranger policy model has been updated to be able to actively deny access. This enhancement is already in the master and will be included in the next release - ranger-0.6.
When an access is denied by Ranger, RangerAccessResult will have: isAccessDetermined=true; isAllowed=false. Here are the possible combinations: -------------------------------------------------------------- | # | isAccessDetermined | isAllowed | Comment | |------------------------|-----------|------------------------| | 1 | True | True | Access Allowed | |------------------------------------|------------------------| | 2 | False | False | Access not-determined | |------------------------------------|------------------------| | 3 | True | False | Access Denied | |------------------------------------|------------------------| | 4 | False | True | Invalid result | -------------------------------------------------------------- In case of #2, the components can choose to: - deny the access: this is done by Hive, Storm, Knox - fallback to native access-control: this is done by HDFS, YARN #4 is an invalid combination and this will not be returned by Ranger. Hope this helps. Madhan On 4/7/16, 1:21 PM, "Bryan Bende" <[email protected]> wrote: >Hello, > >What does isAccessDetermined mean on RangerAccessResult? > >From testing it seems like isAccessDetermined and isAllowed will both be >true when the user has access to the resource, and then they will both be >false in other cases. > >Is there ever a case where isAllowed is false, and isAccessDetermined is >true? > >Thanks, > >Bryan
