[
https://issues.apache.org/jira/browse/RANGER-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Abhay Kulkarni updated RANGER-2066:
-----------------------------------
Description:
ERROR SCENARIO:
Table emp has 2 col-families: personal_data(name,SSN,age) ; prof_data(role,
manager)
Column emp/prof_data/role is tagged with OFFICIAL tag.
Create following policies:
Rsrc policy allows Read on table=*, column-family=*,column=*
Tag policy allows Read on OFFICIAL tag (emp/prof_data/role).
'scan emp' audit shows 2 rows:
1. Resource: emp/personal_data
Name / Type: column-family
Allowed
Policy allowing: Access based policy [Tag column shows PII]
2. Resource: emp/prof_data
Name / Type: column-family
Allowed
Policy allowing: TAG based policy for OFFICIAL tag{color:#d04437} -> How can
column level tag based policy authorize whole of column family?{color}
prof_data column-family should not be authorized by a tagged role column in it.
was:
ERROR SCENARIO:
Table emp has 2 col-families: personal_data(name,SSN,age) ; prof_data(role,
manager)
Column emp/prof_data/role is tagged with OFFICIAL tag.
Create following policies:
Rsrc policy allows R on *,*,*
Tag policy allows R on OFFICIAL tag (emp/prof_data/role).
'scan emp' audit shows 2 rows:
1. Resource: emp/personal_data
Name / Type: column-family
Allowed
Policy allowing: Access based policy [Tag column shows PII]
2. Resource: emp/prof_data
Name / Type: column-family
Allowed
Policy allowing: TAG based policy{color:#d04437} -> How can column level tag
based policy authorize whole of column family?{color}
TAG: OFFICIAL
This gives the impression that whole of personal_data column-family is tagged
with the OFFICIAL tag.
Solution: Audit should be generated column wise so that each column can show
the correct policy id authorizing it.
> Hbase column family access is authorized by a tagged column
> -----------------------------------------------------------
>
> Key: RANGER-2066
> URL: https://issues.apache.org/jira/browse/RANGER-2066
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 1.0.0, master
> Reporter: Anuja Leekha
> Priority: Major
> Fix For: master, 1.1.0
>
>
> ERROR SCENARIO:
> Table emp has 2 col-families: personal_data(name,SSN,age) ; prof_data(role,
> manager)
> Column emp/prof_data/role is tagged with OFFICIAL tag.
> Create following policies:
> Rsrc policy allows Read on table=*, column-family=*,column=*
> Tag policy allows Read on OFFICIAL tag (emp/prof_data/role).
> 'scan emp' audit shows 2 rows:
> 1. Resource: emp/personal_data
> Name / Type: column-family
> Allowed
> Policy allowing: Access based policy [Tag column shows PII]
> 2. Resource: emp/prof_data
> Name / Type: column-family
> Allowed
> Policy allowing: TAG based policy for OFFICIAL tag{color:#d04437} -> How can
> column level tag based policy authorize whole of column family?{color}
> prof_data column-family should not be authorized by a tagged role column in
> it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
