[jira] [Created] (RANGER-2379) Support for associating a tag service with security zone and relevant authorization logic

Tue, 26 Mar 2019 12:08:17 -0700 

Abhay Kulkarni created RANGER-2379:
--------------------------------------

             Summary: Support for associating a tag service with security zone 
and relevant authorization logic 
                 Key: RANGER-2379
                 URL: https://issues.apache.org/jira/browse/RANGER-2379
             Project: Ranger
          Issue Type: Improvement
          Components: Ranger
    Affects Versions: master
            Reporter: Abhay Kulkarni
            Assignee: Abhay Kulkarni
             Fix For: master


Currently, tag service is associated with a security zone if and only if any 
service-resource (that is, a tuple <resource-service, resource> ) in the 
Security Zone is contained in resource-service that is associated with the tag 
service. However, consider the following use case:

1) No zone exists. Tag-based policies are in-place, say for PII, EXPIRES_ON, 
etc.

2) Few tables in finance DB were tagged with EXPIRES_ON; few columns within 
this DB were tagged with PII. So tag-based access enforcement/masking policies 
are in effect for these objects.

3) An admin creates 'Finance' zone and moves 'finance' DB to this zone.

4) All tag-based policy enforcement is lost; as there is no tag-based policy in 
'finance' zone, as the policies still belong to “unzoned” zone. 

Given this, it is a better design to not automatically create tag-service->zone 
association. Instead, the association between zone->tag-service needs to 
supported directly similar to how zone->resource-service association is 
established, with one difference; when a tag service is associated with a 
Security Zone, user should not be able to include any resource (tag-name, to be 
specific). This requires GUI changes for Security Zone CRUD, but no other 
changes, especially to tag service browser as well as tag policy creation.

On the access evaluation perspective, if accessed resource falls in a Security 
Zone, then there are two possibilities:

1) no policies for the zone in tag-service
 2) no association of the zone with tag-service

Although it is possible to differentiate between these two cases, tag policies 
in the default("unzoned") zone need to be considered for evaluation in both 
cases for now. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to