[jira] [Created] (RANGER-5563) support restricting grants based on actions, in addition to permissions

Mon, 20 Apr 2026 18:32:05 -0700 

Madhan Neethiraj created RANGER-5563:
----------------------------------------

             Summary: support restricting grants based on actions, in addition 
to permissions
                 Key: RANGER-5563
                 URL: https://issues.apache.org/jira/browse/RANGER-5563
             Project: Ranger
          Issue Type: New Feature
          Components: admin, plugins
            Reporter: Madhan Neethiraj


Ranger policies support granting permissions on resources like 
read/write/select/insert/list/create/drop. Actions performed in a service, like 
mkdir or delete, are mapped to one of the permissions by the host service. Some 
services have fewer permissions but larger number of actions that can be 
performed. For example, HDFS service supports following permissions:
 * read
 * write
 * execute

However, list of actions that can be performed are a lot more:
 * mkdirs
 * open
 * WRITE
 * delete
 * rename
 * setOwner
 * listStatus
 * listEncryptionZones
 * ..

Enhancing Ranger polcies to restrict actions that can be performed will help 
setup finer control on accesses that can be granted. For the example given 
above, a user having {{write}} permission can perform following actions: 
{{{}mkdir{}}}, {{{}WRITE{}}}, {{{}delete{}}}, {{{}rename{}}}, {{{}setOwner{}}}. 
This can be enhanced to authorize only {{WRITE}} action (and not 
{{{}mkdirs{}}}, {{{}delete{}}}, {{{}rename{}}}).

 

Here are more details on this enhancement request:
 # Permission asked by the host service must exists for the user before 
enforcing restrictions on {{action}} i.e. only having grant for the action is 
not enough to authorize the access. Consider a policy granting {{read}} 
permission with action as {{{}mkdir{}}}. This policy doesn't allow the user to 
perform {{mkdir}} action, as the user doesn't have necessary permission, 
{{{}write{}}}, in the first place.
 # Actions should be supported in deny as well, enabling explicit denial of 
specific actions.
 # When no action is specified in a policy item, no restrictions on actions 
will be enforced i.e. all actions will be allowed.
 # It should be possible to grant access to multiple actions using wildcard at 
the end - like {{{}list*{}}}, {{{}get*{}}}. 

This can be implemented with a custom condition named {{{}actions{}}}, similar 
to existing condition implementations like {{{}RangerIpMatcher{}}}. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to