[ https://issues.apache.org/jira/browse/RANGER-406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15467828#comment-15467828
]
Nigel Jones commented on RANGER-406:
------------------------------------
I think this is a good point -- currently the typical actions are
- permit/deny
- filter
- mask
However there are a number of other "governance" related actions that ranger+plugins could
(and should) support
- Audit logging only (in this case if a policy is not satisfied)
- recording usage information for metering (ie cloud services)
- perform validation on write/updates (based on values supplied ie meeting policy)
- altering a request, for example automatically adding context to be written during an update
or lookup up a code against reference data
- forcing encryption of data to be written
- Initiating an asynchronous action (for further checks, fraud, remediation perhaps through
a human or automated workflow) since not every check can be completed synchronously
Further I think that as per RANGER-1168 this should be done for tag based policies as well
as those that are resource based.
technically a plugin could do all of these today, but more clarity/consistency in UI, docs
& perhaps the server/plugins could help (I'm not yet familar enough with the code structure
??)
> Policy manager should support a way to just ask for auditability instead of access (and
auditability).
> ------------------------------------------------------------------------------------------------------
>
> Key: RANGER-406
> URL: https://issues.apache.org/jira/browse/RANGER-406
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Reporter: Alok Lal
>
> For some cases like Hbase where superusers are exempt from access validation getting
a lightweight way to just check for auditability would be beneficial and performant.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
|