Madhan Neethiraj created RANGER-3526:
----------------------------------------
Summary: policy evaluation ordering to use name as secondary
sorting key
Key: RANGER-3526
URL: https://issues.apache.org/jira/browse/RANGER-3526
Project: Ranger
Issue Type: Improvement
Components: plugins
Reporter: Madhan Neethiraj
Assignee: Madhan Neethiraj
Policy engine evaluates policies in the following order: priority, has-deny,
has-no-deny. When multiple policies have same priority/has-deny/has-no-deny,
the ordering is not deterministic. This doesn't impact the result for access
policies - as all denies will be evaluated before allows. However, the result
for masking/row-filter can vary when multiple policies exists for a given
resource, and these policies define different mask/filter for a given
user/group/role.
Given name of a policy is unique within a service, using policy name as the
secondary sorting key will result in deterministic evaluation order.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
