[
https://issues.apache.org/jira/browse/RANGER-3617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-3617:
-------------------------------------
Description:
API to check if user has any access within a resource returns deny when a
tag-based policy denies access to a child resource, even though another policy
allows access to a different child resource. More details to reproduce the
issue below:
# Policy on tag={{{}RESTRICTED{}}} denies {{select}} access to user2
# A resource-based policy allows {{select}} access to user2 on {{database=\*,
table=\*, column=\*}}
# Column {{finance.tax_2016.name}} is tagged with {{RESTRICTED}}
# user2 is denied {{select}} on this column by above tag-based policy – this
is as expected
# user2 is denied {{_any}} on {{finance}} database (like "use finance;") by
above tag-based policy – which is incorrect
Expected: access should have been allowed by above resource-based policy
was:
API to check if user has any access within a resource returns deny when a
tag-based policy denies access to a child resource, even though another policy
allows access to a different child resource. More details to reproduce the
issue below:
# Policy on tag={{{}RESTRICTED{}}} denies {{select}} access to user2
# A resource-based policy allows {{select}} access to user2 on {{database=*,
table=*, column=*}}
# Column {{finance.tax_2016.name}} is tagged with {{RESTRICTED}}
# user2 is denied {{select}} on this column by above tag-based policy – this
is as expected
# user2 is denied {{_any}} on {{finance}} database (like "use finance;") by
above tag-based policy – which is incorrect
Expected: access should have been allowed by above resource-based policy
> incorrect deny for _any access due to tag policy
> ------------------------------------------------
>
> Key: RANGER-3617
> URL: https://issues.apache.org/jira/browse/RANGER-3617
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.1.0, 2.2.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
>
> API to check if user has any access within a resource returns deny when a
> tag-based policy denies access to a child resource, even though another
> policy allows access to a different child resource. More details to reproduce
> the issue below:
> # Policy on tag={{{}RESTRICTED{}}} denies {{select}} access to user2
> # A resource-based policy allows {{select}} access to user2 on
> {{database=\*, table=\*, column=\*}}
> # Column {{finance.tax_2016.name}} is tagged with {{RESTRICTED}}
> # user2 is denied {{select}} on this column by above tag-based policy – this
> is as expected
> # user2 is denied {{_any}} on {{finance}} database (like "use finance;") by
> above tag-based policy – which is incorrect
> Expected: access should have been allowed by above resource-based policy
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
