[
https://issues.apache.org/jira/browse/RANGER-4061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17682240#comment-17682240
]
Madhan Neethiraj commented on RANGER-4061:
------------------------------------------
[~rmani] - sounds like a good idea. It will be critical to understand how
grant should deal with existing exceptions when a grant request arrives. For
example, consider the following: GRANT publish ON TOPIC tp1 TO GROUP producers:
I think above should result in following updates to policy for topic TP1:
# add an allow-policy-item with group=producers, permission=publish
# remove allow-exception-policy-item for group=producers, permission=publish -
if exists
# add a deny-exception-policy-item with group=producers permission=publish, so
that any existing deny will exclude this group
> Grant and Revoke Request should support Allow Exception
> --------------------------------------------------------
>
> Key: RANGER-4061
> URL: https://issues.apache.org/jira/browse/RANGER-4061
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: 3.0.0
> Reporter: Ramesh Mani
> Assignee: Ramesh Mani
> Priority: Major
>
> Current Grant and Revoke functionally in Apache Ranger Supports only request
> to create Allowed Permission. But there are services like Kafka where the ACL
> grant can have clauses like allow certain users / Groups/ hosts except users
> /Groups/ hosts.
> For this enhance the current Ranger Grant Revoke Api to include a new member
> to hold the “AllowException” policyItem which can be added by the services
> which supports this.
> By this enhancement Grant Revoke Api will add the “Allow Exception”
> policyItem for the policy that will be created.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
