ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Balaji Ganesan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-606) Add support for deny policies
Date Thu, 29 Oct 2015 03:47:27 GMT

    [ https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14979750#comment-14979750

Balaji Ganesan commented on RANGER-606:

[~yzhou2001] Thanks for your response. I had some issues understanding your alternative proposals.
Would you be kind enough and explain your proposal with some examples? Time stamped policies,
though make sense technically, sound more complex to an average user to keep track of. If
a security solution is complex, users would probably stop using it. 

My take would be keep the policy definition to start with and iterate as we get feedback from
Ranger user community. The initial concern with deny exceptions was that users would need
to be intelligent enough to figure out to use that if they need to exclude users from a global

> Add support for deny policies 
> ------------------------------
>                 Key: RANGER-606
>                 URL: https://issues.apache.org/jira/browse/RANGER-606
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, plugins
>    Affects Versions: 0.5.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.5.0
> Currently Ranger supports creation of policies that can allow access when specific conditions
are met (for example, resources, user, groups, access-type, custom-conditions..). In addition
to this, having the ability to create policies that deny access for specific conditions will
help address many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like resources/users/groups/access-types/custom-conditions

This message was sent by Atlassian JIRA

View raw message