[
https://issues.apache.org/jira/browse/RANGER-2000?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Abhay Kulkarni updated RANGER-2000:
-----------------------------------
Description:
Currently Ranger policies have effectiveness period that is permanent i.e. once
authored they can only be disabled or enabled. There are many use cases where
such policies or even a policy condition needs to be time bound. For example
certain financial information about earnings that is sensitive and restricted
only until the earnings release date.
it would be great to have the ability to specify with each policy a time
horizon when it is effective (i.e.) either be effective after a certain date
and/or expire after a specific date or only valid within a certain time window
and have Ranger check whether the policy is effective before evaluating in the
policy engine. Therefore, policy authoring can be simplified and does not
require any subsequent action from the user, basically making policy authoring
a one time effort and users do not have to go back disable the policies once it
is past the expiration date.
This means that:
# Ranger policy engine needs to be able to recognize the start and end times
for policies and enforce them based on period of validity specified by the
user.
# Active policies should be checked not only based on the resource, user and
environment context but also whether the policy is effective.
was:
Currently Ranger policies have effectiveness period that is permanent i.e. once
authored they can only be disabled or enabled. There are many use cases where
such policies or even a policy condition needs to be time bound. For example
certain financial information about earnings that is sensitive and restricted
only until the earnings release date.
it would be great to have the ability to specify with each policy or policy
condition a time horizon when it is effective (i.e.) either be effective after
a certain date and/or expire after a specific date or only valid within a
certain time window and have Ranger check whether the policy is effective
before evaluating in the policy engine. Therefore, policy authoring can be
simplified and does not require any subsequent action from the user, basically
making policy authoring a one time effort and users do not have to go back
disable the policies once it is past the expiration date.
This means that:
# Ranger policy engine needs to be able to recognize the start and end times
for policies or specific policy items (conditions) and enforce them based on
period of validity specified by the user.
# Active policies should be checked not only based on the resource, user and
environment context but also whether the policy itself or policy item condition
is effective.
> Policy & policy item effective dates to support time-bound and temporary
> authorization
> --------------------------------------------------------------------------------------
>
> Key: RANGER-2000
> URL: https://issues.apache.org/jira/browse/RANGER-2000
> Project: Ranger
> Issue Type: New Feature
> Components: Ranger
> Reporter: Srikanth Venkat
> Assignee: Abhay Kulkarni
> Priority: Major
> Fix For: master
>
>
> Currently Ranger policies have effectiveness period that is permanent i.e.
> once authored they can only be disabled or enabled. There are many use cases
> where such policies or even a policy condition needs to be time bound. For
> example certain financial information about earnings that is sensitive and
> restricted only until the earnings release date.
> it would be great to have the ability to specify with each policy a time
> horizon when it is effective (i.e.) either be effective after a certain date
> and/or expire after a specific date or only valid within a certain time
> window and have Ranger check whether the policy is effective before
> evaluating in the policy engine. Therefore, policy authoring can be
> simplified and does not require any subsequent action from the user,
> basically making policy authoring a one time effort and users do not have to
> go back disable the policies once it is past the expiration date.
> This means that:
> # Ranger policy engine needs to be able to recognize the start and end times
> for policies and enforce them based on period of validity specified by the
> user.
> # Active policies should be checked not only based on the resource, user and
> environment context but also whether the policy is effective.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
