[jira] [Updated] (RANGER-2066) Hbase column family access is authorized by a tagged column in the column family

Abhay Kulkarni (JIRA) Wed, 11 Apr 2018 14:57:52 -0700

     [ 
https://issues.apache.org/jira/browse/RANGER-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Abhay Kulkarni updated RANGER-2066:
-----------------------------------
    Description: 
ERROR SCENARIO:

Table emp has 2 column families: personal_data(name,SSN,age) ; prof_data(role, 
manager)
 Column emp/prof_data/role is tagged with OFFICIAL tag.

Create following policies:
 Resource policy allows Read on table=*, ** column-family=*,column=*  and Tag 
policy allows Read on OFFICIAL tag for a test_user.

When test_user executes 'scan emp' command, two audit log records are created:
 1. Resource: emp/personal_data
 Name / Type: column-family
 Allowed
 Policy allowing: Resource based policy

2. Resource: emp/prof_data
 Name / Type: column-family
 Allowed
 Policy allowing: TAG based policy for OFFICIAL tag

prof_data column-family should not be authorized by a tagged role column in it. 

  was:
ERROR SCENARIO:

Table emp has 2 col-families: personal_data(name,SSN,age) ; prof_data(role, 
manager)
 Column emp/prof_data/role is tagged with OFFICIAL tag.

Create following policies:
 Resource policy allows Read on table=*, column-family=*,column=*  and Tag 
policy allows Read on OFFICIAL tag for a test_user.

When test_user executes 'scan emp' command, two audit log records are created:
 1. Resource: emp/personal_data
 Name / Type: column-family
 Allowed
 Policy allowing: Resource based policy

2. Resource: emp/prof_data
 Name / Type: column-family
 Allowed
 Policy allowing: TAG based policy for OFFICIAL tag

prof_data column-family should not be authorized by a tagged role column in it. 


> Hbase column family access is authorized by a tagged column in the column 
> family
> --------------------------------------------------------------------------------
>
>                 Key: RANGER-2066
>                 URL: https://issues.apache.org/jira/browse/RANGER-2066
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 1.0.0, master
>            Reporter: Anuja Leekha
>            Priority: Major
>             Fix For: master, 1.1.0
>
>
> ERROR SCENARIO:
> Table emp has 2 column families: personal_data(name,SSN,age) ; 
> prof_data(role, manager)
>  Column emp/prof_data/role is tagged with OFFICIAL tag.
> Create following policies:
>  Resource policy allows Read on table=*, ** column-family=*,column=*  and Tag 
> policy allows Read on OFFICIAL tag for a test_user.
> When test_user executes 'scan emp' command, two audit log records are created:
>  1. Resource: emp/personal_data
>  Name / Type: column-family
>  Allowed
>  Policy allowing: Resource based policy
> 2. Resource: emp/prof_data
>  Name / Type: column-family
>  Allowed
>  Policy allowing: TAG based policy for OFFICIAL tag
> prof_data column-family should not be authorized by a tagged role column in 
> it. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (RANGER-2066) Hbase column family access is authorized by a tagged column in the column family

Reply via email to