ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abhishek Shukla (Jira)" <j...@apache.org>
Subject [jira] [Created] (RANGER-3330) [Atlas classification authorization] _CLASSIFIED classification not supported in atlas policies
Date Thu, 08 Jul 2021 10:44:00 GMT
Abhishek Shukla created RANGER-3330:
---------------------------------------

             Summary: [Atlas classification authorization] _CLASSIFIED classification not
supported in atlas policies
                 Key: RANGER-3330
                 URL: https://issues.apache.org/jira/browse/RANGER-3330
             Project: Ranger
          Issue Type: Bug
          Components: plugins
    Affects Versions: 2.2.0
            Reporter: Abhishek Shukla


*Test Policies*: 
{code:java}
    {
      "service": "cm_atlas",
      "name": "test_atlas_with_classification_auth_policy_2",
      "policyType": 0,
      "policyPriority": 0,
      "description": "test_atlas_with_classification_auth_policy_2",
      "isAuditEnabled": true,
      "resources": {
        "entity-type": {
          "values": [
            "*"
          ],
          "isExcludes": false,
          "isRecursive": false
        },
        "entity-classification": {
          "values": [
            "_NOT_CLASSIFIED"
          ],
          "isExcludes": false,
          "isRecursive": false
        },
        "classification": {
          "values": [
            "PII"
          ],
          "isExcludes": false,
          "isRecursive": false
        },
        "entity": {
          "values": [
            "*"
          ],
          "isExcludes": false,
          "isRecursive": false
        }
      },
      "policyItems": [
        {
          "accesses": [
            {
              "type": "entity-add-classification",
              "isAllowed": true
            },
            {
              "type": "entity-update-classification",
              "isAllowed": true
            },
            {
              "type": "entity-remove-classification",
              "isAllowed": true
            }
          ],
          "users": [
            "hrt_2"
          ],
          "groups": [],
          "roles": [],
          "conditions": [],
          "delegateAdmin": true
        }
      ],
      "denyPolicyItems": [],
      "allowExceptions": [],
      "denyExceptions": [],
      "dataMaskPolicyItems": [],
      "rowFilterPolicyItems": [],
      "serviceType": "atlas",
      "options": {},
      "validitySchedules": [],
      "policyLabels": [],
      "zoneName": "",
      "isDenyAllElse": false,
      "id": 37,
      "guid": "3231a2cf-d819-48ec-a3e7-89e960499b85",
      "isEnabled": true,
      "version": 1
    },
    {
      "service": "cm_atlas",
      "name": "test_atlas_with_classification_auth_policy_3",
      "policyType": 0,
      "policyPriority": 0,
      "description": "test_atlas_with_classification_auth_policy_3",
      "isAuditEnabled": true,
      "resources": {
        "entity-type": {
          "values": [
            "*"
          ],
          "isExcludes": false,
          "isRecursive": false
        },
        "entity-classification": {
          "values": [
            "_CLASSIFIED"
          ],
          "isExcludes": false,
          "isRecursive": false
        },
        "classification": {
          "values": [
            "FINANCE"
          ],
          "isExcludes": false,
          "isRecursive": false
        },
        "entity": {
          "values": [
            "*"
          ],
          "isExcludes": false,
          "isRecursive": false
        }
      },
      "policyItems": [
        {
          "accesses": [
            {
              "type": "entity-add-classification",
              "isAllowed": true
            },
            {
              "type": "entity-update-classification",
              "isAllowed": true
            },
            {
              "type": "entity-remove-classification",
              "isAllowed": true
            }
          ],
          "users": [
            "hrt_2"
          ],
          "groups": [],
          "roles": [],
          "conditions": [],
          "delegateAdmin": true
        }
      ],
      "denyPolicyItems": [],
      "allowExceptions": [],
      "denyExceptions": [],
      "dataMaskPolicyItems": [],
      "rowFilterPolicyItems": [],
      "serviceType": "atlas",
      "options": {},
      "validitySchedules": [],
      "policyLabels": [],
      "zoneName": "",
      "isDenyAllElse": false,
      "id": 37,
      "guid": "3231a2cf-d819-48ec-a3e7-89e960499b85",
      "isEnabled": true,
      "version": 1
    }
{code}
 - User hrt_2 tries to add a PII tag to an entity that doesn't have any pre-existing tag associated
with it, this operation is successful.

 - Now it tries to add a FINANCE tag to the same entity and the expectation is that the tag
should be allowed to be added but it's denied access from the atlas plugin.

 

Do we not support _CLASSIFIED keyword in the entity-classification resource? 

Since _NOT_CLASSIFIED is supported and also shown in the dropdown in ranger admin UI while
creating altas policy but same is not true for _CLASSIFIED

 

Creating this Jira for more discussion on this issue.

cc [~nixon]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message