ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alok Lal (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-704) Service enable/disable should refresh the policies in the plugins
Date Thu, 22 Oct 2015 04:13:27 GMT

    [ https://issues.apache.org/jira/browse/RANGER-704?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14968508#comment-14968508
] 

Alok Lal commented on RANGER-704:
---------------------------------

Use case: We need a way to temporarily "disable" Ranger (take ranger out of the picture) without
having to bounce the service being authorized by Ranger.  For components that have fallback
to native ACL this disabling would be a fail-open.  For those that don't this disabling would
be fail-close.

In systems that allow fail-open this can serve as a powerful diagnostic tool during implementation
and configuration.  The alternative to remove ranger without having to lose your plugin configuration
seems far too error prone.  No?

> Service enable/disable should refresh the policies in the plugins
> -----------------------------------------------------------------
>
>                 Key: RANGER-704
>                 URL: https://issues.apache.org/jira/browse/RANGER-704
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: 0.5.0
>            Reporter: Madhan Neethiraj
>            Assignee: Abhay Kulkarni
>
> When a service is disabled, the plugins should be refreshed with empty policy list -
as if no policy exists in the service. In this case, the components like HDFS and YARN will
enforce component ACLs (since fallback is set to true by default); other components will deny
any access - since there is no policy exists to allow any access. And when the service is
enabled, the plugins should be refreshed with the policies in the service. To achieve this:
>  - the policyVersion associated with the service should be incremented whenever the service
is enabled or disabled. So that the next policy refresh call will send updated policy list
>  - the policy refresh implementation should return empty policy list when service is
disabled



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message