ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Madhan Neethiraj (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-1199) Optimize tag-download to include only tags that have policies
Date Wed, 14 Dec 2016 19:38:59 GMT

    [ https://issues.apache.org/jira/browse/RANGER-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15749264#comment-15749264

Madhan Neethiraj commented on RANGER-1199:

The side effect of this optimization is that only the tags that have tag-based policies will
be shown in the audit logs. Consider the following:
- table 'default.tbl1' is tagged with PII and FINANCE tags
- there is a tag-based policy for PII
- there is no tag-based policy for FINACE

Audit log for access to 'default.tbl1' will only show tag PII and not FINANCE. Prior to this
optimization, the audit log would show all the tags associated with the resource - irrespective
of whether tag-based policy exist for a tag or not.

I think it will be useful to have the ability to 'turn-off' this optimization - via a Ranger
Admin configuration, to get back the earlier behavior. However, the optimization should be
enabled by default.

[~abhayk] - please review.

> Optimize tag-download to include only tags that have policies
> -------------------------------------------------------------
>                 Key: RANGER-1199
>                 URL: https://issues.apache.org/jira/browse/RANGER-1199
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin
>    Affects Versions: 0.6.0, 0.6.1
>            Reporter: Madhan Neethiraj
>            Assignee: Abhay Kulkarni
>             Fix For: 0.7.0
> For the calls to download tags from plugins, Ranger Admin returns all the service-resources
that have one or more tags associated. This can be optimized to include only service-resources
that have tags for which policies exists.
> For example, if tag-based policies exists for tags PII and PCI, Ranger Admin should return
service-resources that are associated with PII or PCI tags only; any service-resource that
is not associated with either of these tags should be excluded. In addition to reducing the
size of the tag-download, this can improve policy-engine performance by not having to deal
with tags that don't have policies.

This message was sent by Atlassian JIRA

View raw message