Description
API to check if user has any access within a resource returns deny when a tag-based policy denies access to a child resource, even though another policy allows access to a different child resource. More details to reproduce the issue below:
- Policy on tag=RESTRICTED denies select access to user2
- A resource-based policy allows select access to user2 on database=*, table=*, column=*
- Column finance.tax_2016.name is tagged with RESTRICTED
- user2 is denied select on this column by above tag-based policy – this is as expected
- user2 is denied _any on finance database (like "use finance;") by above tag-based policy – which is incorrect
Expected: access should have been allowed by above resource-based policy
Attachments
Attachments
Issue Links
- fixes
-
RANGER-3839 Ranger Tag based policy with ability to show metadata for covered resource
- Resolved
- links to