[
https://issues.apache.org/jira/browse/RANGER-4299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-4299:
-------------------------------------
Description:
A critical requirement for security zone is to ensure that a given resource
belongs to at most only one security zone. This works well when all zones have
resources with the same resource hierarchy - like path, database/table,
database/table. However, when zones contain resources with different
hierarchies, the validation doesn't enforce above requirement. For example:
{code:java}
Zone1: [ { database: * } ]
Zone2: [ { database: db1, table: tbl1 } ]
{code}
Above zones are not a valid, as table {{db1.tbl1}} belongs to both Zone1 and
Zone2. However, zone resource validator doesn't handle this case correctly
hence allows zones with above resources. Validation should be fixed to prevent
zones with above resources.
was:
A critical requirement for security zone is to ensure that a given resource
belongs to at most only one security zone. This works well when all zones have
resources with the same resource hierarchy - like path, database/table,
database/table. However, when zones contain resources with different
hierarchies, the validation doesn't enforce above requirement. For example:
{code:java}
Zone1: [ { database: db1 } ]
Zone2: [ { database: db1, table: tbl1 } ]
{code}
Above zones are not a valid, as table {{db1.tbl1}} belongs to both Zone1 and
Zone2. However, zone resource validator doesn't handle this case correctly
hence allows zones with above resources. Validation should be fixed to prevent
zones with above resources.
> Zone resource validator handling of resources at different levels
> -----------------------------------------------------------------
>
> Key: RANGER-4299
> URL: https://issues.apache.org/jira/browse/RANGER-4299
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
> Fix For: 3.0.0
>
> Attachments: RANGER-4299.patch
>
>
> A critical requirement for security zone is to ensure that a given resource
> belongs to at most only one security zone. This works well when all zones
> have resources with the same resource hierarchy - like path, database/table,
> database/table. However, when zones contain resources with different
> hierarchies, the validation doesn't enforce above requirement. For example:
>
>
> {code:java}
> Zone1: [ { database: * } ]
> Zone2: [ { database: db1, table: tbl1 } ]
> {code}
>
> Above zones are not a valid, as table {{db1.tbl1}} belongs to both Zone1 and
> Zone2. However, zone resource validator doesn't handle this case correctly
> hence allows zones with above resources. Validation should be fixed to
> prevent zones with above resources.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
