Missing authorization for viewing assets

Cloudera Data Catalog users must have appropriate authorization set up in Apache Ranger to view certain asset types.

Lack of permission to view a dataset

If you do not have access to a dataset, a similar error message to the following can be seen:

The previous error message is the result of a Hive policy setting similar to the following:

The following image displays the Deny Conditions set for the specific user.

Hive Ranger policy

You must set up Hive Ranger resource-based policies as per your work requirements for Hive assets in Cloudera Data Catalog.

The following diagram provides a sample Hive Ranger policy with all permissions.

Atlas Ranger policy

Additionally, you must set up Ranger policies for Atlas to work with asset search and tag flow management.

The following diagram provides a sample Atlas Ranger policy.

Reducing resource consumption with restricted users

When you plan to restrict data access, note the following:

Audit summarization for the asset evolves from the Ranger Audit Profiler and Metrics service.
Various Hive Column Statistical metrics for columns of the asset evolves from Atlas as part of the profile_data of a column.

To ensure that the data related to audit summary and Hive Column Statistics are not visible to the subscribers, you must make sure to turn off the Ranger Audit Profiler/Activity Profiler and the Hive Column Profiler/Statistics Collector Profiler respectively.