ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nigel Jones (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-406) Policy manager should support a way to just ask for auditability instead of access (and auditability).
Date Tue, 06 Sep 2016 16:30:20 GMT

    [ https://issues.apache.org/jira/browse/RANGER-406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15467828#comment-15467828

Nigel Jones commented on RANGER-406:

I think this is a good point -- currently the typical actions are
 - permit/deny
 - filter
 - mask

However there are a number of other "governance" related actions that ranger+plugins could
(and should) support
 - Audit logging only (in this case if a policy is not satisfied)
 - recording usage information for metering (ie cloud services)
 - perform validation on write/updates (based on values supplied ie meeting policy)
 - altering a request, for example automatically adding context to be written during an update
or lookup up a code against reference data
 - forcing encryption of data to be written
 - Initiating an asynchronous action (for further checks, fraud, remediation perhaps through
a human or automated workflow) since not every check can be completed synchronously

Further I think that as per RANGER-1168 this should be done for tag based policies as well
as those that are resource based.

technically a plugin could do all of these today, but more clarity/consistency in UI, docs
& perhaps the server/plugins could help (I'm not yet familar enough with the code structure

> Policy manager should support a way to just ask for auditability instead of access (and
> ------------------------------------------------------------------------------------------------------
>                 Key: RANGER-406
>                 URL: https://issues.apache.org/jira/browse/RANGER-406
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>            Reporter: Alok Lal
> For some cases like Hbase where superusers are exempt from access validation getting
a lightweight way to just check for auditability would be beneficial and performant.

This message was sent by Atlassian JIRA

View raw message