Madhan Neethiraj created RANGER-3617:
----------------------------------------
Summary: incorrect deny for _any access due to tag policy
Key: RANGER-3617
URL: https://issues.apache.org/jira/browse/RANGER-3617
Project: Ranger
Issue Type: Bug
Components: plugins
Affects Versions: 2.2.0, 2.1.0
Reporter: Madhan Neethiraj
Assignee: Madhan Neethiraj
API to check if user has any access within a resource returns deny when a
tag-based policy denies access to a child resource, even though another policy
allows access to a different child resource. More details to reproduce the
issue below:
# Policy on tag={{{}RESTRICTED{}}} denies {{select}} access to user2
# A resource-based policy allows {{select}} access to user2 on {{database=*,
table=*, column=*}}
# Column {{finance.tax_2016.name}} is tagged with {{RESTRICTED}}
# user2 is denied {{select}} on this column by above tag-based policy – this
is as expected
# user2 is denied {{_any}} on {{finance}} database (like "use finance;") by
above tag-based policy – which is incorrect
Expected: access should have been allowed by above resource-based policy
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
