Hi Colm, Yes, the default selection of access type does not make sense when we have four policy conditions in the policy from (i.e Allow/AllowExclude/Deny/DenyExclude).
One thing we can do we can keep this future (default selection of access type) for masking and row filter policy type as it contains only one policy condition (Mask/Row filter condition) and disable for access policy form. or We can disable this future for all policy form.(i.e access/making/row filter ). Thanks, Nitin Galave. On Thu, Jun 22, 2017 at 3:54 PM, Mehul Parikh <[email protected]> wrote: > Hi Colm, > > In that case we will have to revert change of : > > 1. To remove auto-select of permission if service has single permission > for policy. > > @Abhay and @Nitin - any other thoughts on this scenario? > > On Thu, Jun 22, 2017 at 3:30 PM, Colm O hEigeartaigh <[email protected]> > wrote: > > > Thanks Mehul! > > > > The problem with the change though, is that if you are only specifying > one > > of the four policy conditions, then you have to edit the other three > > policies to remove "allow", otherwise you get that error. So it actually > > involves more work that just having to add "allow" for the policy you are > > creating. Does that make sense? > > > > Colm. > > > > On Thu, Jun 22, 2017 at 10:53 AM, Mehul Parikh <[email protected]> > wrote: > > > > > Hi Colm, > > > > > > This is one of the latest changes on Ranger UI, done as part of > > RANGER-1492 > > > <https://github.com/apache/ranger/commit/ > 5e82ed83c4f6f360aefd2818c1485c > > > b7dce2027c>. > > > > > > > > > Main reason behind auto-populating Allow condition for Knox was, it had > > > only one permission to be managed for policy administrator. If there is > > > only one permission, it will be useful for end users to have that > > selected > > > on create / edit policy. > > > > > > Other service types are not having by default selected permission > because > > > there are multiple permissions to be selected from. > > > > > > Regarding validation to select user / group: it applies for all > services > > > if any of the permission is selected in policy create / edit screen. > > > > > > > > > On Tue, Jun 20, 2017 at 10:21 PM, Colm O hEigeartaigh < > > [email protected] > > > > > > > wrote: > > > > > > > Hi all, > > > > > > > > With the latest 1.0.0-SNAPSHOT code, when creating a policy for the > > Knox > > > > service, the default permissions for all of the allow and deny > > conditions > > > > is "Allow". > > > > > > > > That means if you are just adding an allow condition you get an > error: > > > > > > > > "Please select group/user for the selected permission, else > group/user > > > will > > > > not be added." > > > > > > > > You have to manually edit all of the other permissions to remove the > > > > "Allow" part. Only Knox seems to be affected, other components create > > > > conditions with an empty permission. > > > > > > > > Is this a regression? Pretty sure I created Knox policies recently > > > without > > > > having to edit them in this way. > > > > > > > > Colm. > > > > > > > > > > > > -- > > > > Colm O hEigeartaigh > > > > > > > > Talend Community Coder > > > > http://coders.talend.com > > > > > > > > > > > > > > > > -- > > > > > > Thanks and regards, > > > Mehul Parikh > > > ---------------------------- > > > M: +91 98191 54446 > > > E: [email protected] > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > > Thanks and regards, > Mehul Parikh > ---------------------------- > M: +91 98191 54446 > E: [email protected] > -- *Thanks,Nitin Galave.*
