[
https://issues.apache.org/jira/browse/RANGER-2232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16683145#comment-16683145
]
Don Bosco Durai commented on RANGER-2232:
-----------------------------------------
[~abhayk] This is a very good feature and you have articulated it very well in
the document.
+1 from my side.
I do have a suggestion, while we are implementing this feature, let's not make
it very much tied to resource policies. We should be able to use security zones
for other purposes also. E.g. In the future, we should be able to implement
other features like https://issues.apache.org/jira/browse/RANGER-693 using
security zones.
> Security Zones feature in Apache Ranger
> ---------------------------------------
>
> Key: RANGER-2232
> URL: https://issues.apache.org/jira/browse/RANGER-2232
> Project: Ranger
> Issue Type: New Feature
> Components: admin
> Reporter: Madhan Neethiraj
> Assignee: Abhay Kulkarni
> Priority: Major
> Attachments: Apache Ranger - Security Zones.pdf
>
>
> This is to introduce a new abstraction in Apache Ranger that would allow
> carving/bucketing of resources in a service into multiple zones, for better
> administration of security policies. This would enable multiple
> administrators to setup security policies for a service – based on the zones
> to which they have been granted administration rights.
> For example, let us consider 2 security zones ‘finance’ and ‘sales’:
> - Security zone ‘finance’ includes all contents in Hive database named
> ‘finance’
> - Security zone ‘sales’ includes all contents in ‘sales’ database
> - Set of users and groups are designated as administrators each zone
> - Users are allowed to setup policies only in zones in which they are
> administrators
> - Policies defined in a zone are applicable only for resources of the zone
> - A zone can be extended to include resource from multiple services like
> HDFS, Hive, HBase, Kafka, .., allowing administrators of a zone to setup
> policies for resources owned by their organization across multiple services.
> - Audit logs will include name of the zone in which the accessed resource
> resides. Only users having appropriate permissions on the security zone can
> view its audit logs.
> Attached document has more details on various aspects of Security Zones.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
