Skip to content

Access Policy Overrides

Apache Ranger supports Access Policy Overrides to allow finer-grained control over how policies interact when multiple policies apply to the same resource. This feature enables admins to override inherited or broad access rules with more specific or restrictive ones, ensuring that policy evaluation reflects the most appropriate intent. This feature allows one policy to explicitly take precedence over another even if both match the same user, resource, or action. This is especially useful when a specific policy must block or narrow access that would otherwise be granted by a broader or inherited rule.

Overrides are typically applied:

  • Within the same service and resource scope
  • To resolve conflicts between default/global and specific/local rules

How Overrides Work

When multiple policies match a user request, Apache Ranger evaluates them based on:

  1. Deny policies (if supported)
  2. Policy specificity (more specific resource wins)
  3. Policy priority or override configuration (if equal specificity)

If override flags or priority settings are used, Ranger gives preference to the overriding policy.

Use Case Example

You have two policies:

Policy A (broad):

  • Resource: database = *
  • Access: SELECT
  • Group: analysts

Policy B (specific override):

  • Resource: database = finance_db
  • Access: SELECT
  • Group: analysts
  • Condition: ${{USER.department}} == 'finance'

By configuring Policy B as an override, you ensure that only analysts from the finance department can access finance_db, even though Policy A grants general access.

Conflicting Override Policies

If two policies are both marked as overrides and conflict, Ranger will evaluate them based on:

Policy Name: The name of the policy can be used to determine which one takes precedence.

Best Practices

  • Use overrides to enforce exceptions to general rules
  • Keep policies as specific as possible to reduce reliance on overrides
  • Always document the intent of an override policy
  • Test access scenarios to validate override behavior

Comments