Hi Madhan! The logs contain policy-id: --- Action: PUT Access: Denied Policy Enforcer: Ranger
And about Row Keys, i actually want to apply HBase cell level security, and want to protect Row Key as well. If a user uses Apache Phoenix on top of HBase. He may consider Row Key as a Primary Key in Phoenix view and he may be interested in protecting that Primary Key column. So how can we protect Row Key in Apache Ranger? On Fri, Dec 11, 2015 at 3:05 AM, Madhan Neethiraj <[email protected]> wrote: > Aneela, > > >> How can we allow users to add new columns into existing table? > Give the users ‘create’ permission on the columns they need to be allowed > to create. To allow creation of any column name, specify “*” as the column. > > >> because i could not run *put 'emp','3','f:age','18' *with user having > all permissions i.e., READ,WRITE,CREATE,ADMIN > Can you please check the audit logs to find the details of the denied > access? Details like: action, policy-id.. > > >> How can we apply permissions on HBase Row keys? > Can you please elaborate the usecase you are trying to address? > > Thanks, > Madhan > > From: Aneela Saleem <[email protected]> > Reply-To: "[email protected]" < > [email protected]> > Date: Thursday, December 10, 2015 at 1:23 PM > To: "[email protected]" <[email protected]> > Subject: Re: HBase test cases > > Thanks Madhan! Got it. > > I have couple of questions. > > > - Ho can we apply permissions on HBase Row keys? > - How can we allow users to add new columns into existing table? > > because i could not run *put 'emp','3','f:age','18' *with user having all > permissions i.e., READ,WRITE,CREATE,ADMIN > > > > On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <[email protected]> > wrote: > >> Aneela, >> >> Perhaps because the policy allows for column ‘name’: >> >> Where HBase Table is 'emp', HBase column family is 'f' and HBase >> column is 'name', on which this policy is applied. >> >> But the put was for column ‘age’? >> >> put 'emp','1','f:age','18' >> >> >> Can you please check the audit log, for the policy that denied the access? >> >> Thanks, >> Madhan >> >> >> From: Aneela Saleem <[email protected]> >> Reply-To: "[email protected]" < >> [email protected]> >> Date: Thursday, December 10, 2015 at 12:48 PM >> To: "[email protected]" <[email protected]> >> Subject: HBase test cases >> >> Hi all, >> >> Here are my test cases for HBase plugin. I have some confusions regarding >> write access to different users/groups. >> >> Following is my concerned Policy: >> >> >> >> Where HBase Table is 'emp', HBase column family is 'f' and HBase column >> is 'name', on which this policy is applied. >> >> Following are my test cases: >> >> >> Test_ID >> >> User >> >> Group >> >> Command >> >> Expected >> >> Actual >> >> Policy >> >> 1 >> >> Roger >> >> Developers >> >> scan 'emp' >> >> Allowed >> >> Allowed >> >> Ranger >> >> 2 >> >> Roger >> >> Developers >> >> put 'emp','1','f:age','18' >> >> Allowed >> >> Denied >> >> Ranger >> >> 3 >> >> Smith >> >> Developers >> >> put 'emp','1','f:age','18' >> >> Denied >> >> Denied >> >> Ranger >> >> 4 >> >> Smith >> >> Developers >> >> scan 'emp' >> >> Denied >> >> Denied >> >> ranger >> >> 5 >> >> Clark >> >> Data-Scientist >> >> Scan 'emp' >> >> Allowed >> >> Allowed >> >> Ranger >> >> 6 >> >> Clark >> >> Data-Scientist >> >> put 'emp','1','f:age','10' >> >> Allowed >> >> Denied >> >> Ranger >> >> 7 >> >> Mike >> >> Data-Scientist >> >> put 'emp','1','f:age','10' >> >> Denied >> >> Denied >> >> Ranger >> >> 8 >> >> Mike >> >> Data-Scientist >> >> Scan 'emp' >> >> Allowed >> >> Allowed >> >> Ranger >> >> >> Can anyone please explain why in Test_Id_(2,6) the actual result is >> 'Denied'? (IMO it sould be 'Allowed') >> > >
