[ https://issues.apache.org/jira/browse/RANGER-2379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Velmurugan Periasamy updated RANGER-2379: ----------------------------------------- Fix Version/s: (was: master) 2.0.0 > Support for associating a tag service with security zone and relevant > authorization logic > ------------------------------------------------------------------------------------------ > > Key: RANGER-2379 > URL: https://issues.apache.org/jira/browse/RANGER-2379 > Project: Ranger > Issue Type: Improvement > Components: Ranger > Affects Versions: master > Reporter: Abhay Kulkarni > Assignee: Abhay Kulkarni > Priority: Major > Fix For: 2.0.0 > > > Currently, tag service is associated with a security zone if and only if any > service-resource (that is, a tuple <resource-service, resource> ) in the > Security Zone is contained in resource-service that is associated with the > tag service. However, consider the following use case: > 1) No zone exists. Tag-based policies are in-place, say for PII, EXPIRES_ON, > etc. > 2) Few tables in finance DB were tagged with EXPIRES_ON; few columns within > this DB were tagged with PII. So tag-based access enforcement/masking > policies are in effect for these objects. > 3) An admin creates 'Finance' zone and moves 'finance' DB to this zone. > 4) All tag-based policy enforcement is lost; as there is no tag-based policy > in 'finance' zone, as the policies still belong to “unzoned” zone. > Given this, it is a better design to not automatically create > tag-service->zone association. Instead, the association between > zone->tag-service needs to supported directly similar to how > zone->resource-service association is established, with one difference; when > a tag service is associated with a Security Zone, user should not be able to > include any resource (tag-name, to be specific). This requires GUI changes > for Security Zone CRUD, but no other changes, especially to tag service > browser as well as tag policy creation. > On the access evaluation perspective, if accessed resource falls in a > Security Zone, then there are two cases: > 1) Tag-service associated with the Resource-service is in the Security Zone. > 2) Tag-service associated with the Resource-service is not in the Security > Zone. > Tag policies in associated Tag-service in the default ("unzoned") Security > Zone need to be considered for evaluation in case 2. -- This message was sent by Atlassian JIRA (v7.6.14#76016)