[jira] [Commented] (RANGER-1300) S3 support

Tue, 26 Jun 2018 12:28:14 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-1300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16524131#comment-16524131
 ] 

Don Bosco Durai commented on RANGER-1300:
-----------------------------------------

{quote}Although I think the policy evaluation in Ranger is complex and counter 
intuitive with all the weights etc (why not use a firewall approach and user 
the order by which it was entered?
{quote}
It will be a long discussion with lots of history :) There are Ranger 
deployments which contains 1000s of policies, so policy evaluation time is very 
critical in HDFS and other high volume components. The same will be applicable 
for Object Store also. Also, the policy engine itself is a framework and 
advanced policies can be built on the framework. The framework supports user 
extension for context enrichment (similar to resource tags), conditional 
policies (e.g. custom time-based policies), etc. Once you add Deny policy and 
policy evaluation order, it further complicates the implementation. The team is 
constantly updating the implementation. If you have suggestions, we should 
start another thread to discuss it.

 
{quote}I don't know if Ranger knows a kind of events that fired off when a 
policy change happens? If that exists you could manage many permissions 
directly from ranger.
{quote}
I recently gave a talk in DataWorks submit on explicitly managing the policies 
on S3 based according to Ranger Tag-Based policies. One open item was to 
reverse sync policies from S3 to Ranger. If that is what you are mentioning, 
then in S3 one option is to monitor for AWSConfig events and update Ranger or 
roll it back. Currently, because of limitation on S3 on the number of policies, 
it might not be practical to manage S3 resource level policies with Ranger.

> S3 support
> ----------
>
>                 Key: RANGER-1300
>                 URL: https://issues.apache.org/jira/browse/RANGER-1300
>             Project: Ranger
>          Issue Type: New Feature
>          Components: plugins
>            Reporter: Jose
>            Priority: Major
>         Attachments: ranger-servicedef-aws-s3.json
>
>
> As more and more people are deploying hadoop into AWS and as S3 is used in 
> lots of application. It'd be nice to have S3 support built into Ranger.
> It's not a trivial task. Right now Ranger Storage support (only hdfs) runs 
> directly in the Namenode



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to