Abhay Kulkarni updated RANGER-2000:
    Summary: Policy effective dates to support time-bound and temporary 
authorization  (was: Policy & policy item effective dates to support time-bound 
and temporary authorization)

> Policy effective dates to support time-bound and temporary authorization
> ------------------------------------------------------------------------
>                 Key: RANGER-2000
>                 URL: https://issues.apache.org/jira/browse/RANGER-2000
>             Project: Ranger
>          Issue Type: New Feature
>          Components: Ranger
>            Reporter: Srikanth Venkat
>            Assignee: Abhay Kulkarni
>            Priority: Major
>             Fix For: master
> Currently Ranger policies have effectiveness period that is permanent i.e. 
> once authored they can only be disabled or enabled. There are many use cases 
> where such policies or even a policy condition needs to be time bound. For 
> example certain financial information about earnings that is sensitive and 
> restricted only until the earnings release date. 
> it would be great to have the ability to specify with each policy a time 
> horizon when it is effective (i.e.) either be effective after a certain date 
> and/or expire after a specific date or only valid within a certain time 
> window and have Ranger check whether the policy is effective before 
> evaluating in the policy engine. Therefore, policy authoring can be 
> simplified and does not require any subsequent action from the user, 
> basically making policy authoring a one time effort and users do not have to 
> go back disable the policies once it is past the expiration date.
> This means that:
>  # Ranger policy engine needs to be able to recognize the start and end times 
> for policies  and enforce them based on period of validity specified by the 
> user.
>  # Active policies should be checked not only based on the resource, user and 
> environment context but also whether the policy is effective.

This message was sent by Atlassian JIRA

Reply via email to