xunliu commented on PR #5629: URL: https://github.com/apache/gravitino/pull/5629#issuecomment-2488000991
hi @theoryxu Thank you for your attention to this problem The problem now is that Gravitino will only maintain a Ranger Policy with the `MANAGED_BY_GRAVITINO` label, but if a user already has a Ranger service, that can lead to conflicts. 1. Gravitino's Policy has its own set of management rules. May conflict with the user randomly set; 2. Therefore, only a Ranger Policy with the `MANAGED_BY_GRAVITINO` label is maintained. But that's a pretty big limitation. 1. There is only one Ranger policy for each resource (`db1.tab1`). 2. If a user's old ranger service already has the `db1.tab1` policy, but this policy may not conform to Gravitino's authority specification, and there may be problems if Gravitino is asked to directly update this Policy. 3, so now the Gravitino through `RangerHelper.WildcardSearchPolies()` function will only find the policy with `MANAGED_BY_GRAVITINO` label. 4. If the old ranger already has this policy, but Gravitino cannot operate it, there will be problems. The solution: 1. Use the conversion tool to convert all the old ranger policies into Gravitino norms 2. modify the gravitino specification, become a free setting can be compatible. I think option 2 is good. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
