Rohit, Currently, Ranger requires an entire resource-hierarchy to be specified in a policy. It doesn’t allow policies that stop at a higher-level resource in a hierarchy. This is one of the often-asked enhancements to Ranger policy model. Can you please file a JIRA with details of your use-cases/requirements?
Abhay is looking into an enhancement to restrict access-types based on the resource (for example create/drop access-types are applicable only at database/table level, but not at column level). This enhancement might address your use-case as well. He would be able to add more details. Thanks, Madhan On 8/24/17, 4:01 PM, "rohit sinha" <[email protected]> wrote: Any help with this ? Thanks. On Thu, Aug 24, 2017 at 12:29 PM rohit sinha <[email protected]> wrote: > Hello, > > I am writing a Ranger plugin for my service and I am having trouble with > two things. > > 1. Policy match on SELF (No Descendant or Ancestor) > The resources in our service have hierarchy just like many other services > out there. To achieve this we have defined the hierarchy in the service > definition JSON. > Now when we create a RangerAccessRequest for enforcement and set the > MatchType to SELF enforcement call is also successful if the user has > privilege on the ancestor of the entity. We don't want this to happen. We > want to have a complete match. > We look into providing our own PolicyEvaluator but it seems like the > policy evaluator is not customizable. > How can we achieve this using Ranger? > > 2. Ability to grant privileges on parent level only > As mentioned in the previous question our resources have a hierarchy. For > example: > > Level1Resource1 -> Leve2Resource1 -> Level3Resource1 > Level1Resource1 -> Leve2Resource1 -> Level3Resource2 > Level1Resource1 -> Leve2Resource2 -> Level3Resource1 > > We have defined this hierarchy in the service definition now we want to > grant privilege just on Leve2Resource1. For example, we want to give > someone READ on this resource. The Ranger UI does not allow me to do this. > I am not able to grant just on Leve2Resource1. The UI ask me to fill in the > Level3 resources too. If I mark the Level3 resources as non-mandatory then > while adding the privilege I get an error from the backend. > How can I grant privileges to such resources? > > Thanks. > -- Thanks, Rohit Sinha
