Having problem where it appears that policy tags set in Ranger appear to not take effect in Atlas.
Roughly following the tutorial here (https://hortonworks.com/tutorial/tag-based-policies-with-apache-ranger-and-apache-atlas/section/2/#create-ranger-tag-based-policy), trying to create a tag policy for classifications created in Atlas.
Created a classification in Atlas for an hdfs_path entity Then created a ranger tag for that Atlas PHI classification that only allows certain atlas actions for a user not the atlas admin user, in Service Manager > Tag Based Policies In Service Manager > atlas Policies, I make an Atlas service that uses that tag and disable the Ranger Atlas service policy related to allowing public access to Atlas
Yet logging into Atlas as admin (not the user specified in the Ranger tag), I can still search for and find atlas entities that have the PHI tag assigned to them as well as remove and (re)add the tag, evidenced in the Ranger audit logs... I would think this should not be possible. I would expect the tags column to have the custom tag in it and for access by "admin" to have been denied.
As an HDFS example...
Despite the fact that the Ranger tag only specifies user hdfs, I can still access the HDFS location as user "admin". I notice several things about the Ranger audit shown below
- The "Name/Type" includes the Atlas classifications associated with the resource
- The tags column is empty
I interpret this to mean that 1) Ranger recognizes that the location is associated with some Atlas tags and 2) it does not see any tags for or against allowing the user "admin" to access that resource.
Can anyone with more Atlas+Ranger experience let me know what I am getting wrong here? Any debugging suggestions?