[
https://issues.apache.org/jira/browse/RANGER-4445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-4445:
-------------------------------------
Attachment: RANGER-4445.patch
> GDS APIs to manage policies
> ---------------------------
>
> Key: RANGER-4445
> URL: https://issues.apache.org/jira/browse/RANGER-4445
> Project: Ranger
> Issue Type: Sub-task
> Components: Ranger
> Affects Versions: 3.0.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
> Fix For: 3.0.0
>
> Attachments: RANGER-4445.patch
>
>
> Datasets and projects in Ranger can be made accessible to users via policies.
> These policies use the same data structure as regular access-control policies
> of Ranger. However, instead of using existing policy management APIs,
> dataset/project policies should be managed only via GDS APIs for the
> following reasons:
> # Users having admin/policy-admin privilege on the dataset/project should be
> allowed to manage policies, which is different from other policies which
> require the user to have wider admin privilege or delegated-admin privilege
> on the resource.
> # Policies for a dataset/project should be deleted when the dataset/project
> is deleted.
> # Rename of a dataset/project should not impact enforcement of GDS policies.
> This might require GDS policies to refer to dataset/project via their IDs
> instead of names. Having GDS specific policy APIs will make it easier to
> handle this.
> # It is critical that dataset/project policies don't support wildcards or
> multiple resources. Supporting such will break the GDS UI that provides a
> single place to view all grants for a given dataset/project. (though
> wildcard/multiple-resources can be restricted via service-def, power users
> will find a way to update the service-def to get around this restriction -
> which can make GDS UI show incorrect grants).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
