You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ranger.apache.org by Aneela Saleem <an...@platalytics.com> on 2015/12/10 21:48:38 UTC

HBase test cases

Hi all,

Here are my test cases for HBase plugin. I have some confusions regarding
write access to different users/groups.

Following is my concerned Policy:



Where HBase Table is 'emp', HBase column family is 'f' and HBase column is
'name', on which this policy is applied.

Following are my test cases:


Test_ID

User

Group

Command

Expected

Actual

Policy

1

Roger

Developers

scan 'emp'

Allowed

Allowed

Ranger

2

Roger

Developers

put 'emp','1','f:age','18'

Allowed

Denied

Ranger

3

Smith

Developers

put 'emp','1','f:age','18'

Denied

Denied

Ranger

4

Smith

Developers

scan 'emp'

Denied

Denied

ranger

5

Clark

Data-Scientist

Scan 'emp'

Allowed

Allowed

Ranger

6

Clark

Data-Scientist

put 'emp','1','f:age','10'

Allowed

Denied

Ranger

7

Mike

Data-Scientist

put 'emp','1','f:age','10'

Denied

Denied

Ranger

8

Mike

Data-Scientist

Scan 'emp'

Allowed

Allowed

Ranger


Can anyone please explain why in Test_Id_(2,6) the actual result is
'Denied'? (IMO it sould be 'Allowed')

Re: HBase test cases

Posted by Aneela Saleem <an...@platalytics.com>.

Hi Lune!

Exclude from Allow condition is mentioned to disallow mike to write in a
column. This means All users of group datascientist and user roger has all
permissions but user mike is now allowed to write.

For further details read from here
<https://cwiki.apache.org/confluence/display/RANGER/How+Deny+Policies+Work+in+Apache+Ranger>

Thanks

On Thu, Dec 17, 2015 at 11:58 AM, Lune Silver <lu...@gmail.com>
wrote:

> Hello ! In the step0003.png, what is the goal of the exclude from allow
> condition ?
>
> Best regards.
>
> Lune.
>

Re: HBase test cases

Posted by Lune Silver <lu...@gmail.com>.

Hello ! In the step0003.png, what is the goal of the exclude from allow
condition ?

Best regards.

Lune.

Re: HBase test cases

Posted by Madhan Neethiraj <ma...@apache.org>.

Aneela,

>>  If policy 4 is stopping then i think audits should show Policy number but it is not showing.
Policy 4 does not deny the access; it just did not authorize. In such case, Ranger policy engine will look for the next policy to authorize the access.

>> Policy #10 has resource “table=emp; columnFamily=f; column=name”.
>From the audit logs, we can see that this policy allowed user mike put access to column name. To allow the user put access to column age, include age to the column list in this policy.

>> How can we allow users to add new columns in a specific table ?
During put operation, HBase seems to be adding the column as long as the user has write access to the column.

Thanks,
Madhan

From:  Aneela Saleem <an...@platalytics.com>
Reply-To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date:  Wednesday, December 16, 2015 at 2:33 PM
To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject:  Re: HBase test cases

Hi Madhan! 

Policy #10 has resource “table=emp; columnFamily=f; column=name”.  If policy 4 is stopping then i think audits should show Policy number but it is not showing. Secondly How can we allow users to add new columns in a specific table ?

Thanks

On Thu, Dec 17, 2015 at 3:19 AM, Madhan Neethiraj <ma...@apache.org> wrote:
Aneela,

Policy #4 has resource “table=*; columnFamily=*; column=*”, is for users admin and hbase only. This policy will not authorize access for user mike.

I guess the second image in your email is policy #10; the image does not show the resources of this policy. Can you send a screenshot of the resources of this policy?

Thanks,
Madhan

From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Wednesday, December 16, 2015 at 1:53 PM 

To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: HBase test cases

Hi Madhan!

Here is the screenshot of the respective audits. Please have a look.

Service
Policy IDEvent TimeUser Name / Type Resource Name Access TypeResult Access Enforcer Client IP Event Count Tags
-- 12/17/2015 01:05:39 AM mikehbasedev
hbase
emp/f/age putDenied ranger-acl 127.0.0.1 1
-- 12/17/2015 12:59:37 AM mikehbasedev
hbase
emp/f/age putDenied ranger-acl 127.0.0.1 1
-- 12/17/2015 12:55:06 AM mikehbasedev
hbase
emp/f/age putDenied ranger-acl 127.0.0.1 1
10 12/17/2015 12:54:45 AM mikehbasedev
hbase
emp/f/name scannerOpenAllowed ranger-acl 127.0.0.1 6
10 12/17/2015 12:54:39 AM mikehbasedev
hbase
emp/f/name putAllowed ranger-acl 127.0.0.1 1
10 12/17/2015 12:53:27 AM mikehbasedev
hbase
emp/f/name scannerOpenAllowed ranger-acl 127.0.0.1
5
There are two policies, one is default and second one is the concerned respectively. Please have a look

On Tue, Dec 15, 2015 at 11:59 PM, Madhan Neethiraj <ma...@apache.org> wrote:
Aneela,

Do you have policy that allows WRITE access for column=* (or the column the user is trying put – in your example ‘column=age’)?

If these are in place, can you provide all the fields of the audit log that show deny? Including username, resource, etc.

Thanks,
Madhan

From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Tuesday, December 15, 2015 at 10:50 AM 

To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: HBase test cases

Hi, 

I'm stuck at this point, i need to know why PUT access is not granted even if the user have all permissions i.e., read, write, create, admin

Thanks. 

On Sun, Dec 13, 2015 at 12:59 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi Madhan! 

The logs contain 
policy-id: ---
Action: PUT
Access: Denied
Policy Enforcer: Ranger 

And about Row Keys, i actually want to apply HBase cell level security, and want to protect Row Key as well. If a user uses Apache Phoenix on top of HBase. He may consider Row Key as a Primary Key in Phoenix view and he may be interested in protecting that Primary Key column. So how can we protect Row Key in Apache Ranger?

On Fri, Dec 11, 2015 at 3:05 AM, Madhan Neethiraj <ma...@apache.org> wrote:
Aneela,

>>  How can we allow users to add new columns into existing table? 
Give the users ‘create’ permission on the columns they need to be allowed to create. To allow creation of any column name, specify “*” as the column.

>> because i could not run put 'emp','3','f:age','18' with user having all permissions i.e., READ,WRITE,CREATE,ADMIN
Can you please check the audit logs to find the details of the denied access? Details like: action, policy-id..

>> How can we apply permissions on HBase Row keys?
Can you please elaborate the usecase you are trying to address?

Thanks,
Madhan

From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Thursday, December 10, 2015 at 1:23 PM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: HBase test cases

Thanks Madhan! Got it. 

I have couple of questions. 

Ho can we apply permissions on HBase Row keys?
How can we allow users to add new columns into existing table? 
because i could not run put 'emp','3','f:age','18' with user having all permissions i.e., READ,WRITE,CREATE,ADMIN

On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <ma...@apache.org> wrote:
Aneela,

Perhaps because the policy allows for column ‘name’:
  >> Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied.

But the put was for column ‘age’?
  >> put 'emp','1','f:age','18'

Can you please check the audit log, for the policy that denied the access?

Thanks,
Madhan

From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Thursday, December 10, 2015 at 12:48 PM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: HBase test cases

Hi all, 

Here are my test cases for HBase plugin. I have some confusions regarding write access to different users/groups. 

Following is my concerned Policy:

Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied.

Following are my test cases:

Test_IDUserGroupCommandExpectedActualPolicy
1RogerDevelopersscan 'emp'AllowedAllowedRanger
2RogerDevelopersput 'emp','1','f:age','18'AllowedDeniedRanger
3SmithDevelopersput 'emp','1','f:age','18'DeniedDeniedRanger
4SmithDevelopersscan 'emp'DeniedDeniedranger
5ClarkData-ScientistScan 'emp'AllowedAllowedRanger
6ClarkData-Scientistput 'emp','1','f:age','10'AllowedDeniedRanger
7MikeData-Scientistput 'emp','1','f:age','10'DeniedDeniedRanger
8MikeData-ScientistScan 'emp'AllowedAllowedRanger

Can anyone please explain why in Test_Id_(2,6) the actual result is 'Denied'? (IMO it sould be 'Allowed')

Re: HBase test cases

Posted by Aneela Saleem <an...@platalytics.com>.

Hi Madhan!

Policy #10 has resource “table=emp; columnFamily=f; column=name”.  If
policy 4 is stopping then i think audits should show Policy number but it
is not showing. Secondly How can we allow users to add new columns in a
specific table ?

Thanks

On Thu, Dec 17, 2015 at 3:19 AM, Madhan Neethiraj <ma...@apache.org> wrote:

> Aneela,
>
> Policy #4 has resource “table=*; columnFamily=*; column=*”, is for users
> admin and hbase only. This policy will not authorize access for user mike.
>
> I guess the second image in your email is policy #10; the image does not
> show the resources of this policy. Can you send a screenshot of the
> resources of this policy?
>
> Thanks,
> Madhan
>
> From: Aneela Saleem <an...@platalytics.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Wednesday, December 16, 2015 at 1:53 PM
>
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Re: HBase test cases
>
> Hi Madhan!
>
> Here is the screenshot of the respective audits. Please have a look.
>
>
> Service Policy IDEvent TimeUser Name / Type Resource Name Access Type
> Result Access Enforcer Client IP Event Count Tags -- 12/17/2015 01:05:39
> AM mike
> hbasedev
> hbase
> emp/f/age putDenied ranger-acl 127.0.0.1 1 -- 12/17/2015 12:59:37 AM mike
> hbasedev
> hbase
> emp/f/age putDenied ranger-acl 127.0.0.1 1 -- 12/17/2015 12:55:06 AM mike
> hbasedev
> hbase
> emp/f/age putDenied ranger-acl 127.0.0.1 110 12/17/2015 12:54:45 AM mike
> hbasedev
> hbase
> emp/f/name scannerOpenAllowed ranger-acl 127.0.0.1 610 12/17/2015
> 12:54:39 AM mike
> hbasedev
> hbase
> emp/f/name putAllowed ranger-acl 127.0.0.1 110 12/17/2015 12:53:27 AM mike
> hbasedev
> hbase
> emp/f/name scannerOpenAllowed ranger-acl 127.0.0.1
> 5
> There are two policies, one is default and second one is the concerned
> respectively. Please have a look
>
>
>
> 
> 
> 
>
>
> On Tue, Dec 15, 2015 at 11:59 PM, Madhan Neethiraj <ma...@apache.org>
> wrote:
>
>> Aneela,
>>
>> Do you have policy that allows WRITE access for column=* (or the column
>> the user is trying put – in your example ‘column=age’)?
>>
>> If these are in place, can you provide all the fields of the audit log
>> that show deny? Including username, resource, etc.
>>
>> Thanks,
>> Madhan
>>
>> From: Aneela Saleem <an...@platalytics.com>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Tuesday, December 15, 2015 at 10:50 AM
>>
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: Re: HBase test cases
>>
>> Hi,
>>
>> I'm stuck at this point, i need to know why PUT access is not granted
>> even if the user have all permissions i.e., read, write, create, admin
>>
>> Thanks.
>>
>> On Sun, Dec 13, 2015 at 12:59 AM, Aneela Saleem <an...@platalytics.com>
>> wrote:
>>
>>> Hi Madhan!
>>>
>>> The logs contain
>>> policy-id: ---
>>> Action: PUT
>>> Access: Denied
>>> Policy Enforcer: Ranger
>>>
>>> And about Row Keys, i actually want to apply HBase cell level security,
>>> and want to protect Row Key as well. If a user uses Apache Phoenix on top
>>> of HBase. He may consider Row Key as a Primary Key in Phoenix view and he
>>> may be interested in protecting that Primary Key column. So how can we
>>> protect Row Key in Apache Ranger?
>>>
>>> On Fri, Dec 11, 2015 at 3:05 AM, Madhan Neethiraj <ma...@apache.org>
>>> wrote:
>>>
>>>> Aneela,
>>>>
>>>> >>  How can we allow users to add new columns into existing table?
>>>> Give the users ‘create’ permission on the columns they need to be
>>>> allowed to create. To allow creation of any column name, specify “*” as the
>>>> column.
>>>>
>>>> >> because i could not run *put 'emp','3','f:age','18' *with user
>>>> having all permissions i.e., READ,WRITE,CREATE,ADMIN
>>>> Can you please check the audit logs to find the details of the denied
>>>> access? Details like: action, policy-id..
>>>>
>>>> >> How can we apply permissions on HBase Row keys?
>>>> Can you please elaborate the usecase you are trying to address?
>>>>
>>>> Thanks,
>>>> Madhan
>>>>
>>>> From: Aneela Saleem <an...@platalytics.com>
>>>> Reply-To: "user@ranger.incubator.apache.org" <
>>>> user@ranger.incubator.apache.org>
>>>> Date: Thursday, December 10, 2015 at 1:23 PM
>>>> To: "user@ranger.incubator.apache.org" <
>>>> user@ranger.incubator.apache.org>
>>>> Subject: Re: HBase test cases
>>>>
>>>> Thanks Madhan! Got it.
>>>>
>>>> I have couple of questions.
>>>>
>>>>
>>>>    - Ho can we apply permissions on HBase Row keys?
>>>>    - How can we allow users to add new columns into existing table?
>>>>
>>>> because i could not run *put 'emp','3','f:age','18' *with user having
>>>> all permissions i.e., READ,WRITE,CREATE,ADMIN
>>>>
>>>>
>>>>
>>>> On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <ma...@apache.org>
>>>> wrote:
>>>>
>>>>> Aneela,
>>>>>
>>>>> Perhaps because the policy allows for column ‘name’:
>>>>>   >> Where HBase Table is 'emp', HBase column family is 'f' and HBase
>>>>> column is 'name', on which this policy is applied.
>>>>>
>>>>> But the put was for column ‘age’?
>>>>>   >> put 'emp','1','f:age','18'
>>>>>
>>>>>
>>>>> Can you please check the audit log, for the policy that denied the
>>>>> access?
>>>>>
>>>>> Thanks,
>>>>> Madhan
>>>>>
>>>>>
>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>> Reply-To: "user@ranger.incubator.apache.org" <
>>>>> user@ranger.incubator.apache.org>
>>>>> Date: Thursday, December 10, 2015 at 12:48 PM
>>>>> To: "user@ranger.incubator.apache.org" <
>>>>> user@ranger.incubator.apache.org>
>>>>> Subject: HBase test cases
>>>>>
>>>>> Hi all,
>>>>>
>>>>> Here are my test cases for HBase plugin. I have some confusions
>>>>> regarding write access to different users/groups.
>>>>>
>>>>> Following is my concerned Policy:
>>>>>
>>>>>
>>>>> 
>>>>> Where HBase Table is 'emp', HBase column family is 'f' and HBase
>>>>> column is 'name', on which this policy is applied.
>>>>>
>>>>> Following are my test cases:
>>>>>
>>>>>
>>>>> Test_ID
>>>>>
>>>>> User
>>>>>
>>>>> Group
>>>>>
>>>>> Command
>>>>>
>>>>> Expected
>>>>>
>>>>> Actual
>>>>>
>>>>> Policy
>>>>>
>>>>> 1
>>>>>
>>>>> Roger
>>>>>
>>>>> Developers
>>>>>
>>>>> scan 'emp'
>>>>>
>>>>> Allowed
>>>>>
>>>>> Allowed
>>>>>
>>>>> Ranger
>>>>>
>>>>> 2
>>>>>
>>>>> Roger
>>>>>
>>>>> Developers
>>>>>
>>>>> put 'emp','1','f:age','18'
>>>>>
>>>>> Allowed
>>>>>
>>>>> Denied
>>>>>
>>>>> Ranger
>>>>>
>>>>> 3
>>>>>
>>>>> Smith
>>>>>
>>>>> Developers
>>>>>
>>>>> put 'emp','1','f:age','18'
>>>>>
>>>>> Denied
>>>>>
>>>>> Denied
>>>>>
>>>>> Ranger
>>>>>
>>>>> 4
>>>>>
>>>>> Smith
>>>>>
>>>>> Developers
>>>>>
>>>>> scan 'emp'
>>>>>
>>>>> Denied
>>>>>
>>>>> Denied
>>>>>
>>>>> ranger
>>>>>
>>>>> 5
>>>>>
>>>>> Clark
>>>>>
>>>>> Data-Scientist
>>>>>
>>>>> Scan 'emp'
>>>>>
>>>>> Allowed
>>>>>
>>>>> Allowed
>>>>>
>>>>> Ranger
>>>>>
>>>>> 6
>>>>>
>>>>> Clark
>>>>>
>>>>> Data-Scientist
>>>>>
>>>>> put 'emp','1','f:age','10'
>>>>>
>>>>> Allowed
>>>>>
>>>>> Denied
>>>>>
>>>>> Ranger
>>>>>
>>>>> 7
>>>>>
>>>>> Mike
>>>>>
>>>>> Data-Scientist
>>>>>
>>>>> put 'emp','1','f:age','10'
>>>>>
>>>>> Denied
>>>>>
>>>>> Denied
>>>>>
>>>>> Ranger
>>>>>
>>>>> 8
>>>>>
>>>>> Mike
>>>>>
>>>>> Data-Scientist
>>>>>
>>>>> Scan 'emp'
>>>>>
>>>>> Allowed
>>>>>
>>>>> Allowed
>>>>>
>>>>> Ranger
>>>>>
>>>>>
>>>>> Can anyone please explain why in Test_Id_(2,6) the actual result is
>>>>> 'Denied'? (IMO it sould be 'Allowed')
>>>>>
>>>>
>>>>
>>>
>>
>

Re: HBase test cases

Posted by Madhan Neethiraj <ma...@apache.org>.

Aneela,

Policy #4 has resource “table=*; columnFamily=*; column=*”, is for users admin and hbase only. This policy will not authorize access for user mike.

I guess the second image in your email is policy #10; the image does not show the resources of this policy. Can you send a screenshot of the resources of this policy?

Thanks,
Madhan

From:  Aneela Saleem <an...@platalytics.com>
Reply-To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date:  Wednesday, December 16, 2015 at 1:53 PM
To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject:  Re: HBase test cases

Hi Madhan!

Here is the screenshot of the respective audits. Please have a look.

Service
Policy IDEvent TimeUser Name / Type Resource Name Access TypeResult Access Enforcer Client IP Event Count Tags
-- 12/17/2015 01:05:39 AM mikehbasedev
hbase
emp/f/age putDenied ranger-acl 127.0.0.1 1
-- 12/17/2015 12:59:37 AM mikehbasedev
hbase
emp/f/age putDenied ranger-acl 127.0.0.1 1
-- 12/17/2015 12:55:06 AM mikehbasedev
hbase
emp/f/age putDenied ranger-acl 127.0.0.1 1
10 12/17/2015 12:54:45 AM mikehbasedev
hbase
emp/f/name scannerOpenAllowed ranger-acl 127.0.0.1 6
10 12/17/2015 12:54:39 AM mikehbasedev
hbase
emp/f/name putAllowed ranger-acl 127.0.0.1 1
10 12/17/2015 12:53:27 AM mikehbasedev
hbase
emp/f/name scannerOpenAllowed ranger-acl 127.0.0.1
5
There are two policies, one is default and second one is the concerned respectively. Please have a look

On Tue, Dec 15, 2015 at 11:59 PM, Madhan Neethiraj <ma...@apache.org> wrote:
Aneela,

Do you have policy that allows WRITE access for column=* (or the column the user is trying put – in your example ‘column=age’)?

If these are in place, can you provide all the fields of the audit log that show deny? Including username, resource, etc.

Thanks,
Madhan

From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Tuesday, December 15, 2015 at 10:50 AM 

To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: HBase test cases

Hi, 

I'm stuck at this point, i need to know why PUT access is not granted even if the user have all permissions i.e., read, write, create, admin

Thanks. 

On Sun, Dec 13, 2015 at 12:59 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi Madhan! 

The logs contain 
policy-id: ---
Action: PUT
Access: Denied
Policy Enforcer: Ranger 

And about Row Keys, i actually want to apply HBase cell level security, and want to protect Row Key as well. If a user uses Apache Phoenix on top of HBase. He may consider Row Key as a Primary Key in Phoenix view and he may be interested in protecting that Primary Key column. So how can we protect Row Key in Apache Ranger?

On Fri, Dec 11, 2015 at 3:05 AM, Madhan Neethiraj <ma...@apache.org> wrote:
Aneela,

>>  How can we allow users to add new columns into existing table? 
Give the users ‘create’ permission on the columns they need to be allowed to create. To allow creation of any column name, specify “*” as the column.

>> because i could not run put 'emp','3','f:age','18' with user having all permissions i.e., READ,WRITE,CREATE,ADMIN
Can you please check the audit logs to find the details of the denied access? Details like: action, policy-id..

>> How can we apply permissions on HBase Row keys?
Can you please elaborate the usecase you are trying to address?

Thanks,
Madhan

From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Thursday, December 10, 2015 at 1:23 PM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: HBase test cases

Thanks Madhan! Got it. 

I have couple of questions. 

Ho can we apply permissions on HBase Row keys?
How can we allow users to add new columns into existing table? 
because i could not run put 'emp','3','f:age','18' with user having all permissions i.e., READ,WRITE,CREATE,ADMIN

On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <ma...@apache.org> wrote:
Aneela,

Perhaps because the policy allows for column ‘name’:
  >> Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied.

But the put was for column ‘age’?
  >> put 'emp','1','f:age','18'

Can you please check the audit log, for the policy that denied the access?

Thanks,
Madhan

From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Thursday, December 10, 2015 at 12:48 PM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: HBase test cases

Hi all, 

Here are my test cases for HBase plugin. I have some confusions regarding write access to different users/groups. 

Following is my concerned Policy:

Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied.

Following are my test cases:

Test_IDUserGroupCommandExpectedActualPolicy
1RogerDevelopersscan 'emp'AllowedAllowedRanger
2RogerDevelopersput 'emp','1','f:age','18'AllowedDeniedRanger
3SmithDevelopersput 'emp','1','f:age','18'DeniedDeniedRanger
4SmithDevelopersscan 'emp'DeniedDeniedranger
5ClarkData-ScientistScan 'emp'AllowedAllowedRanger
6ClarkData-Scientistput 'emp','1','f:age','10'AllowedDeniedRanger
7MikeData-Scientistput 'emp','1','f:age','10'DeniedDeniedRanger
8MikeData-ScientistScan 'emp'AllowedAllowedRanger

Can anyone please explain why in Test_Id_(2,6) the actual result is 'Denied'? (IMO it sould be 'Allowed')

Re: HBase test cases

Posted by Aneela Saleem <an...@platalytics.com>.

Hi Madhan!

Here is the screenshot of the respective audits. Please have a look.


ServicePolicy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess
EnforcerClient IPEvent CountTags--12/17/2015 01:05:39 AMmike
hbasedev
hbase
emp/f/ageputDeniedranger-acl127.0.0.11--12/17/2015 12:59:37 AMmike
hbasedev
hbase
emp/f/ageputDeniedranger-acl127.0.0.11--12/17/2015 12:55:06 AMmike
hbasedev
hbase
emp/f/ageputDeniedranger-acl127.0.0.111012/17/2015 12:54:45 AMmike
hbasedev
hbase
emp/f/namescannerOpenAllowedranger-acl127.0.0.161012/17/2015 12:54:39 AMmike
hbasedev
hbase
emp/f/nameputAllowedranger-acl127.0.0.111012/17/2015 12:53:27 AMmike
hbasedev
hbase
emp/f/namescannerOpenAllowedranger-acl127.0.0.1
5
There are two policies, one is default and second one is the concerned
respectively. Please have a look








On Tue, Dec 15, 2015 at 11:59 PM, Madhan Neethiraj <ma...@apache.org>
wrote:

> Aneela,
>
> Do you have policy that allows WRITE access for column=* (or the column
> the user is trying put – in your example ‘column=age’)?
>
> If these are in place, can you provide all the fields of the audit log
> that show deny? Including username, resource, etc.
>
> Thanks,
> Madhan
>
> From: Aneela Saleem <an...@platalytics.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Tuesday, December 15, 2015 at 10:50 AM
>
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Re: HBase test cases
>
> Hi,
>
> I'm stuck at this point, i need to know why PUT access is not granted even
> if the user have all permissions i.e., read, write, create, admin
>
> Thanks.
>
> On Sun, Dec 13, 2015 at 12:59 AM, Aneela Saleem <an...@platalytics.com>
> wrote:
>
>> Hi Madhan!
>>
>> The logs contain
>> policy-id: ---
>> Action: PUT
>> Access: Denied
>> Policy Enforcer: Ranger
>>
>> And about Row Keys, i actually want to apply HBase cell level security,
>> and want to protect Row Key as well. If a user uses Apache Phoenix on top
>> of HBase. He may consider Row Key as a Primary Key in Phoenix view and he
>> may be interested in protecting that Primary Key column. So how can we
>> protect Row Key in Apache Ranger?
>>
>> On Fri, Dec 11, 2015 at 3:05 AM, Madhan Neethiraj <ma...@apache.org>
>> wrote:
>>
>>> Aneela,
>>>
>>> >>  How can we allow users to add new columns into existing table?
>>> Give the users ‘create’ permission on the columns they need to be
>>> allowed to create. To allow creation of any column name, specify “*” as the
>>> column.
>>>
>>> >> because i could not run *put 'emp','3','f:age','18' *with user
>>> having all permissions i.e., READ,WRITE,CREATE,ADMIN
>>> Can you please check the audit logs to find the details of the denied
>>> access? Details like: action, policy-id..
>>>
>>> >> How can we apply permissions on HBase Row keys?
>>> Can you please elaborate the usecase you are trying to address?
>>>
>>> Thanks,
>>> Madhan
>>>
>>> From: Aneela Saleem <an...@platalytics.com>
>>> Reply-To: "user@ranger.incubator.apache.org" <
>>> user@ranger.incubator.apache.org>
>>> Date: Thursday, December 10, 2015 at 1:23 PM
>>> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org
>>> >
>>> Subject: Re: HBase test cases
>>>
>>> Thanks Madhan! Got it.
>>>
>>> I have couple of questions.
>>>
>>>
>>>    - Ho can we apply permissions on HBase Row keys?
>>>    - How can we allow users to add new columns into existing table?
>>>
>>> because i could not run *put 'emp','3','f:age','18' *with user having
>>> all permissions i.e., READ,WRITE,CREATE,ADMIN
>>>
>>>
>>>
>>> On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <ma...@apache.org>
>>> wrote:
>>>
>>>> Aneela,
>>>>
>>>> Perhaps because the policy allows for column ‘name’:
>>>>   >> Where HBase Table is 'emp', HBase column family is 'f' and HBase
>>>> column is 'name', on which this policy is applied.
>>>>
>>>> But the put was for column ‘age’?
>>>>   >> put 'emp','1','f:age','18'
>>>>
>>>>
>>>> Can you please check the audit log, for the policy that denied the
>>>> access?
>>>>
>>>> Thanks,
>>>> Madhan
>>>>
>>>>
>>>> From: Aneela Saleem <an...@platalytics.com>
>>>> Reply-To: "user@ranger.incubator.apache.org" <
>>>> user@ranger.incubator.apache.org>
>>>> Date: Thursday, December 10, 2015 at 12:48 PM
>>>> To: "user@ranger.incubator.apache.org" <
>>>> user@ranger.incubator.apache.org>
>>>> Subject: HBase test cases
>>>>
>>>> Hi all,
>>>>
>>>> Here are my test cases for HBase plugin. I have some confusions
>>>> regarding write access to different users/groups.
>>>>
>>>> Following is my concerned Policy:
>>>>
>>>>
>>>> 
>>>> Where HBase Table is 'emp', HBase column family is 'f' and HBase column
>>>> is 'name', on which this policy is applied.
>>>>
>>>> Following are my test cases:
>>>>
>>>>
>>>> Test_ID
>>>>
>>>> User
>>>>
>>>> Group
>>>>
>>>> Command
>>>>
>>>> Expected
>>>>
>>>> Actual
>>>>
>>>> Policy
>>>>
>>>> 1
>>>>
>>>> Roger
>>>>
>>>> Developers
>>>>
>>>> scan 'emp'
>>>>
>>>> Allowed
>>>>
>>>> Allowed
>>>>
>>>> Ranger
>>>>
>>>> 2
>>>>
>>>> Roger
>>>>
>>>> Developers
>>>>
>>>> put 'emp','1','f:age','18'
>>>>
>>>> Allowed
>>>>
>>>> Denied
>>>>
>>>> Ranger
>>>>
>>>> 3
>>>>
>>>> Smith
>>>>
>>>> Developers
>>>>
>>>> put 'emp','1','f:age','18'
>>>>
>>>> Denied
>>>>
>>>> Denied
>>>>
>>>> Ranger
>>>>
>>>> 4
>>>>
>>>> Smith
>>>>
>>>> Developers
>>>>
>>>> scan 'emp'
>>>>
>>>> Denied
>>>>
>>>> Denied
>>>>
>>>> ranger
>>>>
>>>> 5
>>>>
>>>> Clark
>>>>
>>>> Data-Scientist
>>>>
>>>> Scan 'emp'
>>>>
>>>> Allowed
>>>>
>>>> Allowed
>>>>
>>>> Ranger
>>>>
>>>> 6
>>>>
>>>> Clark
>>>>
>>>> Data-Scientist
>>>>
>>>> put 'emp','1','f:age','10'
>>>>
>>>> Allowed
>>>>
>>>> Denied
>>>>
>>>> Ranger
>>>>
>>>> 7
>>>>
>>>> Mike
>>>>
>>>> Data-Scientist
>>>>
>>>> put 'emp','1','f:age','10'
>>>>
>>>> Denied
>>>>
>>>> Denied
>>>>
>>>> Ranger
>>>>
>>>> 8
>>>>
>>>> Mike
>>>>
>>>> Data-Scientist
>>>>
>>>> Scan 'emp'
>>>>
>>>> Allowed
>>>>
>>>> Allowed
>>>>
>>>> Ranger
>>>>
>>>>
>>>> Can anyone please explain why in Test_Id_(2,6) the actual result is
>>>> 'Denied'? (IMO it sould be 'Allowed')
>>>>
>>>
>>>
>>
>

Re: HBase test cases

Posted by Madhan Neethiraj <ma...@apache.org>.

Aneela,

Do you have policy that allows WRITE access for column=* (or the column the user is trying put – in your example ‘column=age’)?

If these are in place, can you provide all the fields of the audit log that show deny? Including username, resource, etc.

Thanks,
Madhan

From:  Aneela Saleem <an...@platalytics.com>
Reply-To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date:  Tuesday, December 15, 2015 at 10:50 AM
To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject:  Re: HBase test cases

Hi, 

I'm stuck at this point, i need to know why PUT access is not granted even if the user have all permissions i.e., read, write, create, admin

Thanks. 

On Sun, Dec 13, 2015 at 12:59 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi Madhan! 

The logs contain 
policy-id: ---
Action: PUT
Access: Denied
Policy Enforcer: Ranger 

And about Row Keys, i actually want to apply HBase cell level security, and want to protect Row Key as well. If a user uses Apache Phoenix on top of HBase. He may consider Row Key as a Primary Key in Phoenix view and he may be interested in protecting that Primary Key column. So how can we protect Row Key in Apache Ranger?

On Fri, Dec 11, 2015 at 3:05 AM, Madhan Neethiraj <ma...@apache.org> wrote:
Aneela,

>>  How can we allow users to add new columns into existing table? 
Give the users ‘create’ permission on the columns they need to be allowed to create. To allow creation of any column name, specify “*” as the column.

>> because i could not run put 'emp','3','f:age','18' with user having all permissions i.e., READ,WRITE,CREATE,ADMIN
Can you please check the audit logs to find the details of the denied access? Details like: action, policy-id..

>> How can we apply permissions on HBase Row keys?
Can you please elaborate the usecase you are trying to address?

Thanks,
Madhan

From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Thursday, December 10, 2015 at 1:23 PM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: HBase test cases

Thanks Madhan! Got it. 

I have couple of questions. 

Ho can we apply permissions on HBase Row keys?
How can we allow users to add new columns into existing table? 
because i could not run put 'emp','3','f:age','18' with user having all permissions i.e., READ,WRITE,CREATE,ADMIN

On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <ma...@apache.org> wrote:
Aneela,

Perhaps because the policy allows for column ‘name’:
  >> Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied.

But the put was for column ‘age’?
  >> put 'emp','1','f:age','18'

Can you please check the audit log, for the policy that denied the access?

Thanks,
Madhan

From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Thursday, December 10, 2015 at 12:48 PM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: HBase test cases

Hi all, 

Here are my test cases for HBase plugin. I have some confusions regarding write access to different users/groups. 

Following is my concerned Policy:

Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied.

Following are my test cases:

Test_IDUserGroupCommandExpectedActualPolicy
1RogerDevelopersscan 'emp'AllowedAllowedRanger
2RogerDevelopersput 'emp','1','f:age','18'AllowedDeniedRanger
3SmithDevelopersput 'emp','1','f:age','18'DeniedDeniedRanger
4SmithDevelopersscan 'emp'DeniedDeniedranger
5ClarkData-ScientistScan 'emp'AllowedAllowedRanger
6ClarkData-Scientistput 'emp','1','f:age','10'AllowedDeniedRanger
7MikeData-Scientistput 'emp','1','f:age','10'DeniedDeniedRanger
8MikeData-ScientistScan 'emp'AllowedAllowedRanger

Can anyone please explain why in Test_Id_(2,6) the actual result is 'Denied'? (IMO it sould be 'Allowed')

Re: HBase test cases

Posted by Aneela Saleem <an...@platalytics.com>.

Hi,

I'm stuck at this point, i need to know why PUT access is not granted even
if the user have all permissions i.e., read, write, create, admin

Thanks.

On Sun, Dec 13, 2015 at 12:59 AM, Aneela Saleem <an...@platalytics.com>
wrote:

> Hi Madhan!
>
> The logs contain
> policy-id: ---
> Action: PUT
> Access: Denied
> Policy Enforcer: Ranger
>
> And about Row Keys, i actually want to apply HBase cell level security,
> and want to protect Row Key as well. If a user uses Apache Phoenix on top
> of HBase. He may consider Row Key as a Primary Key in Phoenix view and he
> may be interested in protecting that Primary Key column. So how can we
> protect Row Key in Apache Ranger?
>
> On Fri, Dec 11, 2015 at 3:05 AM, Madhan Neethiraj <ma...@apache.org>
> wrote:
>
>> Aneela,
>>
>> >>  How can we allow users to add new columns into existing table?
>> Give the users ‘create’ permission on the columns they need to be allowed
>> to create. To allow creation of any column name, specify “*” as the column.
>>
>> >> because i could not run *put 'emp','3','f:age','18' *with user having
>> all permissions i.e., READ,WRITE,CREATE,ADMIN
>> Can you please check the audit logs to find the details of the denied
>> access? Details like: action, policy-id..
>>
>> >> How can we apply permissions on HBase Row keys?
>> Can you please elaborate the usecase you are trying to address?
>>
>> Thanks,
>> Madhan
>>
>> From: Aneela Saleem <an...@platalytics.com>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Thursday, December 10, 2015 at 1:23 PM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: Re: HBase test cases
>>
>> Thanks Madhan! Got it.
>>
>> I have couple of questions.
>>
>>
>>    - Ho can we apply permissions on HBase Row keys?
>>    - How can we allow users to add new columns into existing table?
>>
>> because i could not run *put 'emp','3','f:age','18' *with user having
>> all permissions i.e., READ,WRITE,CREATE,ADMIN
>>
>>
>>
>> On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <ma...@apache.org>
>> wrote:
>>
>>> Aneela,
>>>
>>> Perhaps because the policy allows for column ‘name’:
>>>   >> Where HBase Table is 'emp', HBase column family is 'f' and HBase
>>> column is 'name', on which this policy is applied.
>>>
>>> But the put was for column ‘age’?
>>>   >> put 'emp','1','f:age','18'
>>>
>>>
>>> Can you please check the audit log, for the policy that denied the
>>> access?
>>>
>>> Thanks,
>>> Madhan
>>>
>>>
>>> From: Aneela Saleem <an...@platalytics.com>
>>> Reply-To: "user@ranger.incubator.apache.org" <
>>> user@ranger.incubator.apache.org>
>>> Date: Thursday, December 10, 2015 at 12:48 PM
>>> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org
>>> >
>>> Subject: HBase test cases
>>>
>>> Hi all,
>>>
>>> Here are my test cases for HBase plugin. I have some confusions
>>> regarding write access to different users/groups.
>>>
>>> Following is my concerned Policy:
>>>
>>>
>>> 
>>> Where HBase Table is 'emp', HBase column family is 'f' and HBase column
>>> is 'name', on which this policy is applied.
>>>
>>> Following are my test cases:
>>>
>>>
>>> Test_ID
>>>
>>> User
>>>
>>> Group
>>>
>>> Command
>>>
>>> Expected
>>>
>>> Actual
>>>
>>> Policy
>>>
>>> 1
>>>
>>> Roger
>>>
>>> Developers
>>>
>>> scan 'emp'
>>>
>>> Allowed
>>>
>>> Allowed
>>>
>>> Ranger
>>>
>>> 2
>>>
>>> Roger
>>>
>>> Developers
>>>
>>> put 'emp','1','f:age','18'
>>>
>>> Allowed
>>>
>>> Denied
>>>
>>> Ranger
>>>
>>> 3
>>>
>>> Smith
>>>
>>> Developers
>>>
>>> put 'emp','1','f:age','18'
>>>
>>> Denied
>>>
>>> Denied
>>>
>>> Ranger
>>>
>>> 4
>>>
>>> Smith
>>>
>>> Developers
>>>
>>> scan 'emp'
>>>
>>> Denied
>>>
>>> Denied
>>>
>>> ranger
>>>
>>> 5
>>>
>>> Clark
>>>
>>> Data-Scientist
>>>
>>> Scan 'emp'
>>>
>>> Allowed
>>>
>>> Allowed
>>>
>>> Ranger
>>>
>>> 6
>>>
>>> Clark
>>>
>>> Data-Scientist
>>>
>>> put 'emp','1','f:age','10'
>>>
>>> Allowed
>>>
>>> Denied
>>>
>>> Ranger
>>>
>>> 7
>>>
>>> Mike
>>>
>>> Data-Scientist
>>>
>>> put 'emp','1','f:age','10'
>>>
>>> Denied
>>>
>>> Denied
>>>
>>> Ranger
>>>
>>> 8
>>>
>>> Mike
>>>
>>> Data-Scientist
>>>
>>> Scan 'emp'
>>>
>>> Allowed
>>>
>>> Allowed
>>>
>>> Ranger
>>>
>>>
>>> Can anyone please explain why in Test_Id_(2,6) the actual result is
>>> 'Denied'? (IMO it sould be 'Allowed')
>>>
>>
>>
>

Re: HBase test cases

Posted by Aneela Saleem <an...@platalytics.com>.

Hi Madhan!

The logs contain
policy-id: ---
Action: PUT
Access: Denied
Policy Enforcer: Ranger

And about Row Keys, i actually want to apply HBase cell level security, and
want to protect Row Key as well. If a user uses Apache Phoenix on top of
HBase. He may consider Row Key as a Primary Key in Phoenix view and he may
be interested in protecting that Primary Key column. So how can we protect
Row Key in Apache Ranger?

On Fri, Dec 11, 2015 at 3:05 AM, Madhan Neethiraj <ma...@apache.org> wrote:

> Aneela,
>
> >>  How can we allow users to add new columns into existing table?
> Give the users ‘create’ permission on the columns they need to be allowed
> to create. To allow creation of any column name, specify “*” as the column.
>
> >> because i could not run *put 'emp','3','f:age','18' *with user having
> all permissions i.e., READ,WRITE,CREATE,ADMIN
> Can you please check the audit logs to find the details of the denied
> access? Details like: action, policy-id..
>
> >> How can we apply permissions on HBase Row keys?
> Can you please elaborate the usecase you are trying to address?
>
> Thanks,
> Madhan
>
> From: Aneela Saleem <an...@platalytics.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Thursday, December 10, 2015 at 1:23 PM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Re: HBase test cases
>
> Thanks Madhan! Got it.
>
> I have couple of questions.
>
>
>    - Ho can we apply permissions on HBase Row keys?
>    - How can we allow users to add new columns into existing table?
>
> because i could not run *put 'emp','3','f:age','18' *with user having all
> permissions i.e., READ,WRITE,CREATE,ADMIN
>
>
>
> On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <ma...@apache.org>
> wrote:
>
>> Aneela,
>>
>> Perhaps because the policy allows for column ‘name’:
>>   >> Where HBase Table is 'emp', HBase column family is 'f' and HBase
>> column is 'name', on which this policy is applied.
>>
>> But the put was for column ‘age’?
>>   >> put 'emp','1','f:age','18'
>>
>>
>> Can you please check the audit log, for the policy that denied the access?
>>
>> Thanks,
>> Madhan
>>
>>
>> From: Aneela Saleem <an...@platalytics.com>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Thursday, December 10, 2015 at 12:48 PM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: HBase test cases
>>
>> Hi all,
>>
>> Here are my test cases for HBase plugin. I have some confusions regarding
>> write access to different users/groups.
>>
>> Following is my concerned Policy:
>>
>>
>> 
>> Where HBase Table is 'emp', HBase column family is 'f' and HBase column
>> is 'name', on which this policy is applied.
>>
>> Following are my test cases:
>>
>>
>> Test_ID
>>
>> User
>>
>> Group
>>
>> Command
>>
>> Expected
>>
>> Actual
>>
>> Policy
>>
>> 1
>>
>> Roger
>>
>> Developers
>>
>> scan 'emp'
>>
>> Allowed
>>
>> Allowed
>>
>> Ranger
>>
>> 2
>>
>> Roger
>>
>> Developers
>>
>> put 'emp','1','f:age','18'
>>
>> Allowed
>>
>> Denied
>>
>> Ranger
>>
>> 3
>>
>> Smith
>>
>> Developers
>>
>> put 'emp','1','f:age','18'
>>
>> Denied
>>
>> Denied
>>
>> Ranger
>>
>> 4
>>
>> Smith
>>
>> Developers
>>
>> scan 'emp'
>>
>> Denied
>>
>> Denied
>>
>> ranger
>>
>> 5
>>
>> Clark
>>
>> Data-Scientist
>>
>> Scan 'emp'
>>
>> Allowed
>>
>> Allowed
>>
>> Ranger
>>
>> 6
>>
>> Clark
>>
>> Data-Scientist
>>
>> put 'emp','1','f:age','10'
>>
>> Allowed
>>
>> Denied
>>
>> Ranger
>>
>> 7
>>
>> Mike
>>
>> Data-Scientist
>>
>> put 'emp','1','f:age','10'
>>
>> Denied
>>
>> Denied
>>
>> Ranger
>>
>> 8
>>
>> Mike
>>
>> Data-Scientist
>>
>> Scan 'emp'
>>
>> Allowed
>>
>> Allowed
>>
>> Ranger
>>
>>
>> Can anyone please explain why in Test_Id_(2,6) the actual result is
>> 'Denied'? (IMO it sould be 'Allowed')
>>
>
>

Re: HBase test cases

Posted by Madhan Neethiraj <ma...@apache.org>.

Aneela,

>>  How can we allow users to add new columns into existing table? 
Give the users ‘create’ permission on the columns they need to be allowed to create. To allow creation of any column name, specify “*” as the column.

>> because i could not run put 'emp','3','f:age','18' with user having all permissions i.e., READ,WRITE,CREATE,ADMIN
Can you please check the audit logs to find the details of the denied access? Details like: action, policy-id..

>> How can we apply permissions on HBase Row keys?
Can you please elaborate the usecase you are trying to address?

Thanks,
Madhan

From:  Aneela Saleem <an...@platalytics.com>
Reply-To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date:  Thursday, December 10, 2015 at 1:23 PM
To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject:  Re: HBase test cases

Thanks Madhan! Got it. 

I have couple of questions. 

Ho can we apply permissions on HBase Row keys?
How can we allow users to add new columns into existing table? 
because i could not run put 'emp','3','f:age','18' with user having all permissions i.e., READ,WRITE,CREATE,ADMIN



On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <ma...@apache.org> wrote:
Aneela,

Perhaps because the policy allows for column ‘name’:
  >> Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied.

But the put was for column ‘age’?
  >> put 'emp','1','f:age','18'

Can you please check the audit log, for the policy that denied the access?

Thanks,
Madhan


From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Thursday, December 10, 2015 at 12:48 PM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: HBase test cases

Hi all, 

Here are my test cases for HBase plugin. I have some confusions regarding write access to different users/groups. 

Following is my concerned Policy:



Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied.

Following are my test cases:


Test_IDUserGroupCommandExpectedActualPolicy
1RogerDevelopersscan 'emp'AllowedAllowedRanger
2RogerDevelopersput 'emp','1','f:age','18'AllowedDeniedRanger
3SmithDevelopersput 'emp','1','f:age','18'DeniedDeniedRanger
4SmithDevelopersscan 'emp'DeniedDeniedranger
5ClarkData-ScientistScan 'emp'AllowedAllowedRanger
6ClarkData-Scientistput 'emp','1','f:age','10'AllowedDeniedRanger
7MikeData-Scientistput 'emp','1','f:age','10'DeniedDeniedRanger
8MikeData-ScientistScan 'emp'AllowedAllowedRanger



Can anyone please explain why in Test_Id_(2,6) the actual result is 'Denied'? (IMO it sould be 'Allowed')

Re: HBase test cases

Posted by Aneela Saleem <an...@platalytics.com>.

Thanks Madhan! Got it.

I have couple of questions.


   - Ho can we apply permissions on HBase Row keys?
   - How can we allow users to add new columns into existing table?

because i could not run *put 'emp','3','f:age','18' *with user having all
permissions i.e., READ,WRITE,CREATE,ADMIN



On Fri, Dec 11, 2015 at 2:08 AM, Madhan Neethiraj <ma...@apache.org> wrote:

> Aneela,
>
> Perhaps because the policy allows for column ‘name’:
>   >> Where HBase Table is 'emp', HBase column family is 'f' and HBase
> column is 'name', on which this policy is applied.
>
> But the put was for column ‘age’?
>   >> put 'emp','1','f:age','18'
>
>
> Can you please check the audit log, for the policy that denied the access?
>
> Thanks,
> Madhan
>
>
> From: Aneela Saleem <an...@platalytics.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Thursday, December 10, 2015 at 12:48 PM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: HBase test cases
>
> Hi all,
>
> Here are my test cases for HBase plugin. I have some confusions regarding
> write access to different users/groups.
>
> Following is my concerned Policy:
>
>
> 
> Where HBase Table is 'emp', HBase column family is 'f' and HBase column is
> 'name', on which this policy is applied.
>
> Following are my test cases:
>
>
> Test_ID
>
> User
>
> Group
>
> Command
>
> Expected
>
> Actual
>
> Policy
>
> 1
>
> Roger
>
> Developers
>
> scan 'emp'
>
> Allowed
>
> Allowed
>
> Ranger
>
> 2
>
> Roger
>
> Developers
>
> put 'emp','1','f:age','18'
>
> Allowed
>
> Denied
>
> Ranger
>
> 3
>
> Smith
>
> Developers
>
> put 'emp','1','f:age','18'
>
> Denied
>
> Denied
>
> Ranger
>
> 4
>
> Smith
>
> Developers
>
> scan 'emp'
>
> Denied
>
> Denied
>
> ranger
>
> 5
>
> Clark
>
> Data-Scientist
>
> Scan 'emp'
>
> Allowed
>
> Allowed
>
> Ranger
>
> 6
>
> Clark
>
> Data-Scientist
>
> put 'emp','1','f:age','10'
>
> Allowed
>
> Denied
>
> Ranger
>
> 7
>
> Mike
>
> Data-Scientist
>
> put 'emp','1','f:age','10'
>
> Denied
>
> Denied
>
> Ranger
>
> 8
>
> Mike
>
> Data-Scientist
>
> Scan 'emp'
>
> Allowed
>
> Allowed
>
> Ranger
>
>
> Can anyone please explain why in Test_Id_(2,6) the actual result is
> 'Denied'? (IMO it sould be 'Allowed')
>

Re: HBase test cases

Posted by Madhan Neethiraj <ma...@apache.org>.

Aneela,

Perhaps because the policy allows for column ‘name’:
  >> Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied.

But the put was for column ‘age’?
  >> put 'emp','1','f:age','18'

Can you please check the audit log, for the policy that denied the access?

Thanks,
Madhan


From:  Aneela Saleem <an...@platalytics.com>
Reply-To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date:  Thursday, December 10, 2015 at 12:48 PM
To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject:  HBase test cases

Hi all, 

Here are my test cases for HBase plugin. I have some confusions regarding write access to different users/groups. 

Following is my concerned Policy:



Where HBase Table is 'emp', HBase column family is 'f' and HBase column is 'name', on which this policy is applied.

Following are my test cases:


Test_IDUserGroupCommandExpectedActualPolicy
1RogerDevelopersscan 'emp'AllowedAllowedRanger
2RogerDevelopersput 'emp','1','f:age','18'AllowedDeniedRanger
3SmithDevelopersput 'emp','1','f:age','18'DeniedDeniedRanger
4SmithDevelopersscan 'emp'DeniedDeniedranger
5ClarkData-ScientistScan 'emp'AllowedAllowedRanger
6ClarkData-Scientistput 'emp','1','f:age','10'AllowedDeniedRanger
7MikeData-Scientistput 'emp','1','f:age','10'DeniedDeniedRanger
8MikeData-ScientistScan 'emp'AllowedAllowedRanger



Can anyone please explain why in Test_Id_(2,6) the actual result is 'Denied'? (IMO it sould be 'Allowed')