[jira] [Updated] (RANGER-2379) Support for associating a tag service with security zone and relevant authorization logic

[Velmurugan Periasamy (JIRA)]

     [ 
https://issues.apache.org/jira/browse/RANGER-2379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-2379:
-----------------------------------------
    Fix Version/s:     (was: master)
                   2.0.0

> Support for associating a tag service with security zone and relevant 
> authorization logic 
> ------------------------------------------------------------------------------------------
>
>                 Key: RANGER-2379
>                 URL: https://issues.apache.org/jira/browse/RANGER-2379
>             Project: Ranger
>          Issue Type: Improvement
>          Components: Ranger
>    Affects Versions: master
>            Reporter: Abhay Kulkarni
>            Assignee: Abhay Kulkarni
>            Priority: Major
>             Fix For: 2.0.0
>
>
> Currently, tag service is associated with a security zone if and only if any 
> service-resource (that is, a tuple <resource-service, resource> ) in the 
> Security Zone is contained in resource-service that is associated with the 
> tag service. However, consider the following use case:
> 1) No zone exists. Tag-based policies are in-place, say for PII, EXPIRES_ON, 
> etc.
> 2) Few tables in finance DB were tagged with EXPIRES_ON; few columns within 
> this DB were tagged with PII. So tag-based access enforcement/masking 
> policies are in effect for these objects.
> 3) An admin creates 'Finance' zone and moves 'finance' DB to this zone.
> 4) All tag-based policy enforcement is lost; as there is no tag-based policy 
> in 'finance' zone, as the policies still belong to “unzoned” zone. 
> Given this, it is a better design to not automatically create 
> tag-service->zone association. Instead, the association between 
> zone->tag-service needs to supported directly similar to how 
> zone->resource-service association is established, with one difference; when 
> a tag service is associated with a Security Zone, user should not be able to 
> include any resource (tag-name, to be specific). This requires GUI changes 
> for Security Zone CRUD, but no other changes, especially to tag service 
> browser as well as tag policy creation.
> On the access evaluation perspective, if accessed resource falls in a 
> Security Zone, then there are two cases:
> 1) Tag-service associated with the Resource-service is in the Security Zone.
>  2) Tag-service associated with the Resource-service is not in the Security 
> Zone.
> Tag policies in associated Tag-service in the default ("unzoned") Security 
> Zone need to be considered for evaluation in case 2.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)