Abhishek Shukla created RANGER-3330:
---------------------------------------
Summary: [Atlas classification authorization] _CLASSIFIED
classification not supported in atlas policies
Key: RANGER-3330
URL: https://issues.apache.org/jira/browse/RANGER-3330
Project: Ranger
Issue Type: Bug
Components: plugins
Affects Versions: 2.2.0
Reporter: Abhishek Shukla
*Test Policies*:
{code:java}
{
"service": "cm_atlas",
"name": "test_atlas_with_classification_auth_policy_2",
"policyType": 0,
"policyPriority": 0,
"description": "test_atlas_with_classification_auth_policy_2",
"isAuditEnabled": true,
"resources": {
"entity-type": {
"values": [
"*"
],
"isExcludes": false,
"isRecursive": false
},
"entity-classification": {
"values": [
"_NOT_CLASSIFIED"
],
"isExcludes": false,
"isRecursive": false
},
"classification": {
"values": [
"PII"
],
"isExcludes": false,
"isRecursive": false
},
"entity": {
"values": [
"*"
],
"isExcludes": false,
"isRecursive": false
}
},
"policyItems": [
{
"accesses": [
{
"type": "entity-add-classification",
"isAllowed": true
},
{
"type": "entity-update-classification",
"isAllowed": true
},
{
"type": "entity-remove-classification",
"isAllowed": true
}
],
"users": [
"hrt_2"
],
"groups": [],
"roles": [],
"conditions": [],
"delegateAdmin": true
}
],
"denyPolicyItems": [],
"allowExceptions": [],
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
"serviceType": "atlas",
"options": {},
"validitySchedules": [],
"policyLabels": [],
"zoneName": "",
"isDenyAllElse": false,
"id": 37,
"guid": "3231a2cf-d819-48ec-a3e7-89e960499b85",
"isEnabled": true,
"version": 1
},
{
"service": "cm_atlas",
"name": "test_atlas_with_classification_auth_policy_3",
"policyType": 0,
"policyPriority": 0,
"description": "test_atlas_with_classification_auth_policy_3",
"isAuditEnabled": true,
"resources": {
"entity-type": {
"values": [
"*"
],
"isExcludes": false,
"isRecursive": false
},
"entity-classification": {
"values": [
"_CLASSIFIED"
],
"isExcludes": false,
"isRecursive": false
},
"classification": {
"values": [
"FINANCE"
],
"isExcludes": false,
"isRecursive": false
},
"entity": {
"values": [
"*"
],
"isExcludes": false,
"isRecursive": false
}
},
"policyItems": [
{
"accesses": [
{
"type": "entity-add-classification",
"isAllowed": true
},
{
"type": "entity-update-classification",
"isAllowed": true
},
{
"type": "entity-remove-classification",
"isAllowed": true
}
],
"users": [
"hrt_2"
],
"groups": [],
"roles": [],
"conditions": [],
"delegateAdmin": true
}
],
"denyPolicyItems": [],
"allowExceptions": [],
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
"serviceType": "atlas",
"options": {},
"validitySchedules": [],
"policyLabels": [],
"zoneName": "",
"isDenyAllElse": false,
"id": 37,
"guid": "3231a2cf-d819-48ec-a3e7-89e960499b85",
"isEnabled": true,
"version": 1
}
{code}
- User hrt_2 tries to add a PII tag to an entity that doesn't have any
pre-existing tag associated with it, this operation is successful.
- Now it tries to add a FINANCE tag to the same entity and the expectation is
that the tag should be allowed to be added but it's denied access from the
atlas plugin.
Do we not support _CLASSIFIED keyword in the entity-classification resource?
Since _NOT_CLASSIFIED is supported and also shown in the dropdown in ranger
admin UI while creating altas policy but same is not true for _CLASSIFIED
Creating this Jira for more discussion on this issue.
cc [~nixon]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
