ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Balaji Ganesan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-606) Add support for deny policies
Date Thu, 29 Oct 2015 03:57:27 GMT

    [ https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14979759#comment-14979759

Balaji Ganesan commented on RANGER-606:

Yan, thanks for your response. I had some issues understanding your
alternative proposals. Would you be kind enough and explain your proposal
with some examples? Time stamped policies, though make sense technically,
sound more complex to an average user to keep track of. If a security
solution is complex, users would probably stop using it.

My take would be keep the policy definition to start with and iterate as we
get feedback from Ranger user community. The initial concern with deny
exceptions was that users would need to be intelligent enough to figure out
to use that if they need to exclude users from a global deny.

> Add support for deny policies 
> ------------------------------
>                 Key: RANGER-606
>                 URL: https://issues.apache.org/jira/browse/RANGER-606
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, plugins
>    Affects Versions: 0.5.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.5.0
> Currently Ranger supports creation of policies that can allow access when specific conditions
are met (for example, resources, user, groups, access-type, custom-conditions..). In addition
to this, having the ability to create policies that deny access for specific conditions will
help address many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like resources/users/groups/access-types/custom-conditions

This message was sent by Atlassian JIRA

View raw message