Hello Madhan, Thanks for your reply. I will go ahead and file a jira. This answers my questions about not being able to grant privilege to middle level resources.
Although how about grants on self (complete resource) rather than ancestors? Even though I explicitly set the match scope to self in my accesss request the match happen to ancestor too. How can i avoid this ? Thanks. On Thu, Aug 24, 2017 at 11:05 PM Madhan Neethiraj <[email protected]> wrote: > Rohit, > > Currently, Ranger requires an entire resource-hierarchy to be specified in > a policy. It doesn’t allow policies that stop at a higher-level resource in > a hierarchy. This is one of the often-asked enhancements to Ranger policy > model. Can you please file a JIRA with details of your > use-cases/requirements? > > Abhay is looking into an enhancement to restrict access-types based on the > resource (for example create/drop access-types are applicable only at > database/table level, but not at column level). This enhancement might > address your use-case as well. He would be able to add more details. > > Thanks, > Madhan > > > > > On 8/24/17, 4:01 PM, "rohit sinha" <[email protected]> wrote: > > Any help with this ? > > Thanks. > > On Thu, Aug 24, 2017 at 12:29 PM rohit sinha <[email protected]> > wrote: > > > Hello, > > > > I am writing a Ranger plugin for my service and I am having trouble > with > > two things. > > > > 1. Policy match on SELF (No Descendant or Ancestor) > > The resources in our service have hierarchy just like many other > services > > out there. To achieve this we have defined the hierarchy in the > service > > definition JSON. > > Now when we create a RangerAccessRequest for enforcement and set the > > MatchType to SELF enforcement call is also successful if the user has > > privilege on the ancestor of the entity. We don't want this to > happen. We > > want to have a complete match. > > We look into providing our own PolicyEvaluator but it seems like the > > policy evaluator is not customizable. > > How can we achieve this using Ranger? > > > > 2. Ability to grant privileges on parent level only > > As mentioned in the previous question our resources have a > hierarchy. For > > example: > > > > Level1Resource1 -> Leve2Resource1 -> Level3Resource1 > > Level1Resource1 -> Leve2Resource1 -> Level3Resource2 > > Level1Resource1 -> Leve2Resource2 -> Level3Resource1 > > > > We have defined this hierarchy in the service definition now we want > to > > grant privilege just on Leve2Resource1. For example, we want to give > > someone READ on this resource. The Ranger UI does not allow me to do > this. > > I am not able to grant just on Leve2Resource1. The UI ask me to fill > in the > > Level3 resources too. If I mark the Level3 resources as > non-mandatory then > > while adding the privilege I get an error from the backend. > > How can I grant privileges to such resources? > > > > Thanks. > > > -- > Thanks, > Rohit Sinha > > > > -- Thanks, Rohit Sinha
