Hi, I'm stuck at this point, i need to know why PUT access is not granted even if the user have all permissions i.e., read, write, create, admin
Thanks. On Sun, Dec 13, 2015 at 12:59 AM, Aneela Saleem <[email protected]> wrote: > Hi Madhan! > > The logs contain > policy-id: --- > Action: PUT > Access: Denied > Policy Enforcer: Ranger > > And about Row Keys, i actually want to apply HBase cell level security, > and want to protect Row Key as well. If a user uses Apache Phoenix on top > of HBase. He may consider Row Key as a Primary Key in Phoenix view and he > may be interested in protecting that Primary Key column. So how can we > protect Row Key in Apache Ranger? > > On Fri, Dec 11, 2015 at 3:05 AM, Madhan Neethiraj <[email protected]> > wrote: > >> Aneela, >> >> >> How can we allow users to add new columns into existing table? >> Give the users ‘create’ permission on the columns they need to be allowed >> to create. To allow creation of any column name, specify “*” as the column. >> >> >> because i could not run *put 'emp','3','f:age','18' *with user having >> all permissions i.e., READ,WRITE,CREATE,ADMIN >> Can you please check the audit logs to find the details of the denied >> access? Details like: action, policy-id.. >> >> >> How can we apply permissions on HBase Row keys? >> Can you please elaborate the usecase you are trying to address? >> >> Thanks, >> Madhan >> >> From: Aneela Saleem <[email protected]> >> Reply-To: "[email protected]" < >> [email protected]> >> Date: Thursday, December 10, 2015 at 1:23 PM >> To: "[email protected]" <[email protected]> >> Subject: Re: HBase test cases >> >> Thanks Madhan! Got it. >> >> I have couple of questions. >> >> >> - Ho can we apply permissions on HBase Row keys? >> - How can we allow users to add new columns into existing table? >> >> because i could not run *put 'emp','3','f:age','18' *with user having >> all permissions i.e., READ,WRITE,CREATE,ADMIN >> >> >> >> On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <[email protected]> >> wrote: >> >>> Aneela, >>> >>> Perhaps because the policy allows for column ‘name’: >>> >> Where HBase Table is 'emp', HBase column family is 'f' and HBase >>> column is 'name', on which this policy is applied. >>> >>> But the put was for column ‘age’? >>> >> put 'emp','1','f:age','18' >>> >>> >>> Can you please check the audit log, for the policy that denied the >>> access? >>> >>> Thanks, >>> Madhan >>> >>> >>> From: Aneela Saleem <[email protected]> >>> Reply-To: "[email protected]" < >>> [email protected]> >>> Date: Thursday, December 10, 2015 at 12:48 PM >>> To: "[email protected]" <[email protected] >>> > >>> Subject: HBase test cases >>> >>> Hi all, >>> >>> Here are my test cases for HBase plugin. I have some confusions >>> regarding write access to different users/groups. >>> >>> Following is my concerned Policy: >>> >>> >>> >>> Where HBase Table is 'emp', HBase column family is 'f' and HBase column >>> is 'name', on which this policy is applied. >>> >>> Following are my test cases: >>> >>> >>> Test_ID >>> >>> User >>> >>> Group >>> >>> Command >>> >>> Expected >>> >>> Actual >>> >>> Policy >>> >>> 1 >>> >>> Roger >>> >>> Developers >>> >>> scan 'emp' >>> >>> Allowed >>> >>> Allowed >>> >>> Ranger >>> >>> 2 >>> >>> Roger >>> >>> Developers >>> >>> put 'emp','1','f:age','18' >>> >>> Allowed >>> >>> Denied >>> >>> Ranger >>> >>> 3 >>> >>> Smith >>> >>> Developers >>> >>> put 'emp','1','f:age','18' >>> >>> Denied >>> >>> Denied >>> >>> Ranger >>> >>> 4 >>> >>> Smith >>> >>> Developers >>> >>> scan 'emp' >>> >>> Denied >>> >>> Denied >>> >>> ranger >>> >>> 5 >>> >>> Clark >>> >>> Data-Scientist >>> >>> Scan 'emp' >>> >>> Allowed >>> >>> Allowed >>> >>> Ranger >>> >>> 6 >>> >>> Clark >>> >>> Data-Scientist >>> >>> put 'emp','1','f:age','10' >>> >>> Allowed >>> >>> Denied >>> >>> Ranger >>> >>> 7 >>> >>> Mike >>> >>> Data-Scientist >>> >>> put 'emp','1','f:age','10' >>> >>> Denied >>> >>> Denied >>> >>> Ranger >>> >>> 8 >>> >>> Mike >>> >>> Data-Scientist >>> >>> Scan 'emp' >>> >>> Allowed >>> >>> Allowed >>> >>> Ranger >>> >>> >>> Can anyone please explain why in Test_Id_(2,6) the actual result is >>> 'Denied'? (IMO it sould be 'Allowed') >>> >> >> >
