[
https://issues.apache.org/jira/browse/RANGER-2379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Abhay Kulkarni updated RANGER-2379:
-----------------------------------
Description:
Currently, tag service is associated with a security zone if and only if any
service-resource (that is, a tuple <resource-service, resource> ) in the
Security Zone is contained in resource-service that is associated with the tag
service. However, consider the following use case:
1) No zone exists. Tag-based policies are in-place, say for PII, EXPIRES_ON,
etc.
2) Few tables in finance DB were tagged with EXPIRES_ON; few columns within
this DB were tagged with PII. So tag-based access enforcement/masking policies
are in effect for these objects.
3) An admin creates 'Finance' zone and moves 'finance' DB to this zone.
4) All tag-based policy enforcement is lost; as there is no tag-based policy in
'finance' zone, as the policies still belong to “unzoned” zone.
Given this, it is a better design to not automatically create tag-service->zone
association. Instead, the association between zone->tag-service needs to
supported directly similar to how zone->resource-service association is
established, with one difference; when a tag service is associated with a
Security Zone, user should not be able to include any resource (tag-name, to be
specific). This requires GUI changes for Security Zone CRUD, but no other
changes, especially to tag service browser as well as tag policy creation.
On the access evaluation perspective, if accessed resource falls in a Security
Zone, then there are two cases:
1) Tag-service associated with the Resource-service is in the Security Zone.
2) Tag-service associated with the Resource-service is not in the Security
Zone.
Tag policies in associated Tag-service in the default ("unzoned") Security Zone
need to be considered for evaluation in case 2.
was:
Currently, tag service is associated with a security zone if and only if any
service-resource (that is, a tuple <resource-service, resource> ) in the
Security Zone is contained in resource-service that is associated with the tag
service. However, consider the following use case:
1) No zone exists. Tag-based policies are in-place, say for PII, EXPIRES_ON,
etc.
2) Few tables in finance DB were tagged with EXPIRES_ON; few columns within
this DB were tagged with PII. So tag-based access enforcement/masking policies
are in effect for these objects.
3) An admin creates 'Finance' zone and moves 'finance' DB to this zone.
4) All tag-based policy enforcement is lost; as there is no tag-based policy in
'finance' zone, as the policies still belong to “unzoned” zone.
Given this, it is a better design to not automatically create tag-service->zone
association. Instead, the association between zone->tag-service needs to
supported directly similar to how zone->resource-service association is
established, with one difference; when a tag service is associated with a
Security Zone, user should not be able to include any resource (tag-name, to be
specific). This requires GUI changes for Security Zone CRUD, but no other
changes, especially to tag service browser as well as tag policy creation.
On the access evaluation perspective, if accessed resource falls in a Security
Zone, then there are two possibilities:
1) There are policies for the zone in the associated tag-service.
2) There are no policies for the zone in the associated tag-service.
3) There is no associated tag-service
Tag policies in the default("unzoned") zone need to be considered for
evaluation in case 3.
> Support for associating a tag service with security zone and relevant
> authorization logic
> ------------------------------------------------------------------------------------------
>
> Key: RANGER-2379
> URL: https://issues.apache.org/jira/browse/RANGER-2379
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: master
> Reporter: Abhay Kulkarni
> Assignee: Abhay Kulkarni
> Priority: Major
> Fix For: master
>
>
> Currently, tag service is associated with a security zone if and only if any
> service-resource (that is, a tuple <resource-service, resource> ) in the
> Security Zone is contained in resource-service that is associated with the
> tag service. However, consider the following use case:
> 1) No zone exists. Tag-based policies are in-place, say for PII, EXPIRES_ON,
> etc.
> 2) Few tables in finance DB were tagged with EXPIRES_ON; few columns within
> this DB were tagged with PII. So tag-based access enforcement/masking
> policies are in effect for these objects.
> 3) An admin creates 'Finance' zone and moves 'finance' DB to this zone.
> 4) All tag-based policy enforcement is lost; as there is no tag-based policy
> in 'finance' zone, as the policies still belong to “unzoned” zone.
> Given this, it is a better design to not automatically create
> tag-service->zone association. Instead, the association between
> zone->tag-service needs to supported directly similar to how
> zone->resource-service association is established, with one difference; when
> a tag service is associated with a Security Zone, user should not be able to
> include any resource (tag-name, to be specific). This requires GUI changes
> for Security Zone CRUD, but no other changes, especially to tag service
> browser as well as tag policy creation.
> On the access evaluation perspective, if accessed resource falls in a
> Security Zone, then there are two cases:
> 1) Tag-service associated with the Resource-service is in the Security Zone.
> 2) Tag-service associated with the Resource-service is not in the Security
> Zone.
> Tag policies in associated Tag-service in the default ("unzoned") Security
> Zone need to be considered for evaluation in case 2.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
