ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Balaji Ganesan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-606) Add support for deny policies
Date Thu, 05 Nov 2015 01:23:28 GMT

    [ https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14990892#comment-14990892

Balaji Ganesan commented on RANGER-606:

[~yzhou2001] Thanks for your feedback again and sorry for the late reply. My comments based
on your response
 <<DENY is to be added, but not as a different type of policy item; but as a convenience
utility and work in the scope of individual repositories>>
I was thinking of adding Deny in the service definition, which would mean deny could be added
per service. For example, Hive service definition could like this (I have attached a link
for service definition with this JIRA).
			"itemId": 1,
			"name": "allow",
			"label": "Allow"

			"itemId": 2,
			"name": "allow-exception",
			"label": "Allow-Exception"

			"itemId": 3,
			"name": "Deny",
			"label": "Deny"

			"itemId": 4,
			"name": "deny-exception",
			"label": "Deny-Exception"
We probably need a UI to change this. This is similar to a repository, except it can be applied
easily using REST APIs or potentially UI. We can have deny policies for tag level policies
only or only for Hive. 

<< For each type of resources, identify the privilege keys, adding the guard in code
against the attempts to create duplicate entries on the keys to guarantee the privilege uniqueness.
For instance, currently for HDFS, path is used as a key to guarantee the uniqueness between
policies. In addition, the user list too should be checked in each policy to guarantee the
uniqueness of the combinatorial key of (path, user)>>
Ranger creates an error if the users tries to create policy for same resource. I like the
idea of make it smarter to involve users in the check as well. With the introduction of tag
policies, there will be conflicts between tag policies and individual resource level policies,
the code should check if there is a tag existing for a resource and if there is a policy existing
for that. We can probably create a discuss thread on this. Is this something you would be
interested to help with?

> Add support for deny policies 
> ------------------------------
>                 Key: RANGER-606
>                 URL: https://issues.apache.org/jira/browse/RANGER-606
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, plugins
>    Affects Versions: 0.5.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.5.0
> Currently Ranger supports creation of policies that can allow access when specific conditions
are met (for example, resources, user, groups, access-type, custom-conditions..). In addition
to this, having the ability to create policies that deny access for specific conditions will
help address many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like resources/users/groups/access-types/custom-conditions

This message was sent by Atlassian JIRA

View raw message