1

Having problem where it appears that policy tags set in Ranger appear to not take effect in Atlas.

Roughly following the tutorial here (https://hortonworks.com/tutorial/tag-based-policies-with-apache-ranger-and-apache-atlas/section/2/#create-ranger-tag-based-policy), trying to create a tag policy for classifications created in Atlas.

Created a classification in Atlas for an hdfs_path entity enter image description here Then created a ranger tag for that Atlas PHI classification that only allows certain atlas actions for a user not the atlas admin user, in Service Manager > Tag Based Policies enter image description here In Service Manager > atlas Policies, I make an Atlas service that uses that tag enter image description here and disable the Ranger Atlas service policy related to allowing public access to Atlas enter image description here

Yet logging into Atlas as admin (not the user specified in the Ranger tag), I can still search for and find atlas entities that have the PHI tag assigned to them as well as remove and (re)add the tag, evidenced in the Ranger audit logs... enter image description here I would think this should not be possible. I would expect the tags column to have the custom tag in it and for access by "admin" to have been denied.

As an HDFS example...

Despite the fact that the Ranger tag only specifies user hdfs, I can still access the HDFS location as user "admin". I notice several things about the Ranger audit shown below image.png

  1. The "Name/Type" includes the Atlas classifications associated with the resource
  2. The tags column is empty

I interpret this to mean that 1) Ranger recognizes that the location is associated with some Atlas tags and 2) it does not see any tags for or against allowing the user "admin" to access that resource.

Can anyone with more Atlas+Ranger experience let me know what I am getting wrong here? Any debugging suggestions?

4

1 回答 1

1

So first in the log4j settings enable tracing (log4j.properties)

TagSync:
  LogLevel: INFO

Then make sure theat after a tag is created in atlas via the UI that it propagates to the Ranger Database table called 'public.x_tag' or public.x_tag_def. You will see the tag first ends up on kafka and then tag sync adds it to ranger's database. Once you enable tracing the logs will show this and if it doesn't work it will show why not.

What's likely is that the service names in ranger do not match if you say the policy enforcement is not working and you may need to specify the correct qualified name in atlas when creating the classification

in Atlas creating the tag: enter image description here Notice the qualified name

Then back in ranger

enter image description here

What I noticed is that if the qualified name of the tag doesn't match that of the services created in ranger, the policies do not enforce. Unfortunately, it's nowhere in any documentation and I had to figure that out in the logs

于 2021-02-03T05:35:30.087 回答