ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Don Bosco Durai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-1300) S3 support
Date Tue, 26 Jun 2018 19:28:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-1300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16524131#comment-16524131

Don Bosco Durai commented on RANGER-1300:

{quote}Although I think the policy evaluation in Ranger is complex and counter intuitive with
all the weights etc (why not use a firewall approach and user the order by which it was entered?
It will be a long discussion with lots of history :) There are Ranger deployments which
contains 1000s of policies, so policy evaluation time is very critical in HDFS and other high
volume components. The same will be applicable for Object Store also. Also, the policy engine
itself is a framework and advanced policies can be built on the framework. The framework supports
user extension for context enrichment (similar to resource tags), conditional policies (e.g.
custom time-based policies), etc. Once you add Deny policy and policy evaluation order, it
further complicates the implementation. The team is constantly updating the implementation.
If you have suggestions, we should start another thread to discuss it.

{quote}I don't know if Ranger knows a kind of events that fired off when a policy change happens?
If that exists you could manage many permissions directly from ranger.
I recently gave a talk in DataWorks submit on explicitly managing the policies on S3 based
according to Ranger Tag-Based policies. One open item was to reverse sync policies from S3
to Ranger. If that is what you are mentioning, then in S3 one option is to monitor for AWSConfig
events and update Ranger or roll it back. Currently, because of limitation on S3 on the number
of policies, it might not be practical to manage S3 resource level policies with Ranger.

> S3 support
> ----------
>                 Key: RANGER-1300
>                 URL: https://issues.apache.org/jira/browse/RANGER-1300
>             Project: Ranger
>          Issue Type: New Feature
>          Components: plugins
>            Reporter: Jose
>            Priority: Major
>         Attachments: ranger-servicedef-aws-s3.json
> As more and more people are deploying hadoop into AWS and as S3 is used in lots of application.
It'd be nice to have S3 support built into Ranger.
> It's not a trivial task. Right now Ranger Storage support (only hdfs) runs directly in
the Namenode

This message was sent by Atlassian JIRA

View raw message