Madhan Neethiraj created RANGER-4472:
----------------------------------------
Summary: getResourceACL() API updates
Key: RANGER-4472
URL: https://issues.apache.org/jira/browse/RANGER-4472
Project: Ranger
Issue Type: Bug
Components: plugins
Reporter: Madhan Neethiraj
Assignee: Madhan Neethiraj
RangerPolicyEngineImpl.getResourceACL() needs to be updated to address
following issues:
1. the API should evaluate only policies that are relevant to the resource. For
example:
* masking and row-filter policies are not applicable for a database resource
* masking policies are not applicable for a table resource
* row-filter policies are not applicable for a column resource
2. When a tag is found on SELF and DESCENDANT (see example below), SELF should
be considered as the matchType. Currently policy engine might consider
DESCENDANT as the matchType resulting in relevant policies to be not evaluated.
* table db1.tbl1 has tag SENSITIVE
* column db1.tbl1.col1 has tag SENSITIVE
* getResourceACLs(db1.tbl1) will find following 2 tags
** SENSITIVE, with matchType=SELF
** SENSITIVE, with matchType=DESCENDANT
* Both tags will use the same tag-based policy, since their name is same.
*
getResourceACLEvaluatorsForZone() can end up using DESCENDANT as it collects
the matchType for a given policy. This will subsequently result in the policy
to be not evaluated since DESCENDANT wouldn't match the matchScope specified in
the request
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
