ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tanping Wang <tanpi...@gmail.com>
Subject Re: Precedence of Multiple Security Policies in Ranger
Date Thu, 02 Jul 2015 21:32:43 GMT
Hi, Balaji,
Thanks for the reply!

When you say
>Ranger will provide access based on the first policy that permits the
access.

The "First" refers the "oldest" policy that is created by time line?
Suppose I have two policy:
the first one was created in the year of 2014 which gives me every
permission
the second one was created in the year of 2015 which only gives me
some permission


No matter what I do, as long as I have the "oldest" security policy on, I
always have all permissions?

If I understand this correctly, this is not very logical, isn't it?  There
should be some rules to follow in order to decide the precedence of
multiple policies.

Regard,
Tanping



On Thu, Jul 2, 2015 at 2:06 AM, Balaji Ganesan <balaji.ganesan03@gmail.com>
wrote:

> Tanping, Ranger is based on a permissive model. When Ranger is doing a
> policy evaluation, and if there are multiple policies for the user, then
> Ranger will provide access based on the first policy that permits the
> access. In Ranger 0.5, the audit log contains the policy id which granted
> the access, users can find out which policy provided the access to the
> user.
>
> On Thu, Jul 2, 2015 at 2:08 AM, Tanping Wang <tanpingw@gmail.com> wrote:
>
> > Hi, All,
> > I hope I made myself clear in my question.  If not, please let me know.
> > Basically I am asking:
> >
> > If I have multiple security policies set up for one component, HDFS, for
> > example, speaking of the end result of the permission,  is it a UNION of
> > the multiple security policies or is it a intersection or is it one
> > security policy takes the precedence?  How does Ranger decide?
> >
> > Regards,
> > Tanping
> >
> > On Wed, Jul 1, 2015 at 2:54 AM, Tanping Wang <tanpingw@gmail.com> wrote:
> >
> > > Hi,
> > > I would like to understand the precedence of multiple security policies
> > in
> > > Ranger.  For example,
> > > I have a global security policy for HDFS which have all the permissions
> > > open to a user, John
> > > I have a second security policy for HDFS which have /user/hive open to
> > the
> > > user, John.
> > >
> > > If I have both of them on, my understanding is John would have all
> > > permissions inherited from HDFS base Unix.
> > >
> > > How does the precedence get calculated?
> > >
> > > Regards,
> > > Tanping
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message