[
https://issues.apache.org/jira/browse/RANGER-2379?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16806958#comment-16806958
]
Abhay Kulkarni edited comment on RANGER-2379 at 4/1/19 4:32 PM:
----------------------------------------------------------------
Patch available at the review board:
[https://reviews.apache.org/r/70310/]
Commit details:
master:
[https://github.com/apache/ranger/commit/d4d4f655d76e902cc8ad611e5b56d66d4487218e]
was (Author: abhayk):
Commit details:
master:
[https://github.com/apache/ranger/commit/d4d4f655d76e902cc8ad611e5b56d66d4487218e]
> Support for associating a tag service with security zone and relevant
> authorization logic
> ------------------------------------------------------------------------------------------
>
> Key: RANGER-2379
> URL: https://issues.apache.org/jira/browse/RANGER-2379
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: master
> Reporter: Abhay Kulkarni
> Assignee: Abhay Kulkarni
> Priority: Major
> Fix For: master
>
>
> Currently, tag service is associated with a security zone if and only if any
> service-resource (that is, a tuple <resource-service, resource> ) in the
> Security Zone is contained in resource-service that is associated with the
> tag service. However, consider the following use case:
> 1) No zone exists. Tag-based policies are in-place, say for PII, EXPIRES_ON,
> etc.
> 2) Few tables in finance DB were tagged with EXPIRES_ON; few columns within
> this DB were tagged with PII. So tag-based access enforcement/masking
> policies are in effect for these objects.
> 3) An admin creates 'Finance' zone and moves 'finance' DB to this zone.
> 4) All tag-based policy enforcement is lost; as there is no tag-based policy
> in 'finance' zone, as the policies still belong to “unzoned” zone.
> Given this, it is a better design to not automatically create
> tag-service->zone association. Instead, the association between
> zone->tag-service needs to supported directly similar to how
> zone->resource-service association is established, with one difference; when
> a tag service is associated with a Security Zone, user should not be able to
> include any resource (tag-name, to be specific). This requires GUI changes
> for Security Zone CRUD, but no other changes, especially to tag service
> browser as well as tag policy creation.
> On the access evaluation perspective, if accessed resource falls in a
> Security Zone, then there are two cases:
> 1) Tag-service associated with the Resource-service is in the Security Zone.
> 2) Tag-service associated with the Resource-service is not in the Security
> Zone.
> Tag policies in associated Tag-service in the default ("unzoned") Security
> Zone need to be considered for evaluation in case 2.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
