[
https://issues.apache.org/jira/browse/RANGER-4472?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-4472:
-------------------------------------
Fix Version/s: 2.5.0
> getResourceACL() API updates
> ----------------------------
>
> Key: RANGER-4472
> URL: https://issues.apache.org/jira/browse/RANGER-4472
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
> Fix For: 3.0.0, 2.5.0
>
> Attachments: RANGER-4472.patch
>
>
> RangerPolicyEngineImpl.getResourceACL() needs to be updated to address
> following issues:
> 1. the API should evaluate only policies that are relevant to the resource.
> For example:
> * masking and row-filter policies are not applicable for a database resource
> * masking policies are not applicable for a table resource
> * row-filter policies are not applicable for a column resource
> 2. When a tag is found on SELF and DESCENDANT (see example below), SELF
> should be considered as the matchType. Currently policy engine might consider
> DESCENDANT as the matchType resulting in relevant policies to be not
> evaluated.
> * table db1.tbl1 has tag SENSITIVE
> * column db1.tbl1.col1 has tag SENSITIVE
> * getResourceACLs(db1.tbl1) will find following 2 tags
> ** SENSITIVE, with matchType=SELF
> ** SENSITIVE, with matchType=DESCENDANT
> * Both tags will use the same tag-based policy, since their name is same.
> *
> getResourceACLEvaluatorsForZone() can end up using DESCENDANT as it collects
> the matchType for a given policy. This will subsequently result in the policy
> to be not evaluated since DESCENDANT wouldn't match the matchScope specified
> in the request
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
