Aneela, Do you have policy that allows WRITE access for column=* (or the column the user is trying put – in your example ‘column=age’)?
If these are in place, can you provide all the fields of the audit log that show deny? Including username, resource, etc. Thanks, Madhan From: Aneela Saleem <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Tuesday, December 15, 2015 at 10:50 AM To: "[email protected]" <[email protected]> Subject: Re: HBase test cases Hi, I'm stuck at this point, i need to know why PUT access is not granted even if the user have all permissions i.e., read, write, create, admin Thanks. On Sun, Dec 13, 2015 at 12:59 AM, Aneela Saleem <[email protected]> wrote: Hi Madhan! The logs contain policy-id: --- Action: PUT Access: Denied Policy Enforcer: Ranger And about Row Keys, i actually want to apply HBase cell level security, and want to protect Row Key as well. If a user uses Apache Phoenix on top of HBase. He may consider Row Key as a Primary Key in Phoenix view and he may be interested in protecting that Primary Key column. So how can we protect Row Key in Apache Ranger? On Fri, Dec 11, 2015 at 3:05 AM, Madhan Neethiraj <[email protected]> wrote: Aneela, >> How can we allow users to add new columns into existing table? Give the users ‘create’ permission on the columns they need to be allowed to create. To allow creation of any column name, specify “*” as the column. >> because i could not run put 'emp','3','f:age','18' with user having all >> permissions i.e., READ,WRITE,CREATE,ADMIN Can you please check the audit logs to find the details of the denied access? Details like: action, policy-id.. >> How can we apply permissions on HBase Row keys? Can you please elaborate the usecase you are trying to address? Thanks, Madhan From: Aneela Saleem <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Thursday, December 10, 2015 at 1:23 PM To: "[email protected]" <[email protected]> Subject: Re: HBase test cases Thanks Madhan! Got it. I have couple of questions. Ho can we apply permissions on HBase Row keys? How can we allow users to add new columns into existing table? because i could not run put 'emp','3','f:age','18' with user having all permissions i.e., READ,WRITE,CREATE,ADMIN On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <[email protected]> wrote: Aneela, Perhaps because the policy allows for column ‘name’: >> Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied. But the put was for column ‘age’? >> put 'emp','1','f:age','18' Can you please check the audit log, for the policy that denied the access? Thanks, Madhan From: Aneela Saleem <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Thursday, December 10, 2015 at 12:48 PM To: "[email protected]" <[email protected]> Subject: HBase test cases Hi all, Here are my test cases for HBase plugin. I have some confusions regarding write access to different users/groups. Following is my concerned Policy: Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied. Following are my test cases: Test_IDUserGroupCommandExpectedActualPolicy 1RogerDevelopersscan 'emp'AllowedAllowedRanger 2RogerDevelopersput 'emp','1','f:age','18'AllowedDeniedRanger 3SmithDevelopersput 'emp','1','f:age','18'DeniedDeniedRanger 4SmithDevelopersscan 'emp'DeniedDeniedranger 5ClarkData-ScientistScan 'emp'AllowedAllowedRanger 6ClarkData-Scientistput 'emp','1','f:age','10'AllowedDeniedRanger 7MikeData-Scientistput 'emp','1','f:age','10'DeniedDeniedRanger 8MikeData-ScientistScan 'emp'AllowedAllowedRanger Can anyone please explain why in Test_Id_(2,6) the actual result is 'Denied'? (IMO it sould be 'Allowed')
