ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "rangerqa (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-877) Exceptions in policies: allow-exceptions should implicitly deny; deny-exceptions should implicitly allow
Date Tue, 08 Mar 2016 17:30:41 GMT

    [ https://issues.apache.org/jira/browse/RANGER-877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15185310#comment-15185310
] 

rangerqa commented on RANGER-877:
---------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment
  http://issues.apache.org/jira/secure/attachment/12791908/0001-RANGER-877-Exceptions-in-policies-allowExceptions-sh.patch
  against master revision 3620842.

    {color:red}-1 patch{color}.  master compilation may be broken.

Console output: https://builds.apache.org/job/PreCommit-RANGER-Build/94//console

This message is automatically generated.

> Exceptions in policies: allow-exceptions should implicitly deny; deny-exceptions should
implicitly allow
> --------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-877
>                 URL: https://issues.apache.org/jira/browse/RANGER-877
>             Project: Ranger
>          Issue Type: Sub-task
>          Components: plugins
>    Affects Versions: 0.6.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.6.0
>
>         Attachments: 0001-RANGER-877-Exceptions-in-policies-allowExceptions-sh.patch
>
>
> In the current policy model (in 0.6), adding an user/group to allowExceptions does not
automatically deny access to the user/group; the user/group should explicitly be added to
denyPolicyItems. Similarly adding an user/group to denyExceptions does not allow access to
the user/group; the user/group should explicitly be added to allowPolicyItems.
> While this behavior offers flexibility, it does not seem very intuitive for many users.
Hence this JIRA to ask for change in the policy engine to implicitly treat allowExceptions
as deny and denyExceptions as allow.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message