[
https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14694573#comment-14694573
]
Madhan Neethiraj commented on RANGER-606:
-----------------------------------------
>> 1. How are these policies created in Ranger? Would Ranger have a separate UI
>> for this?
Existing UI for create/edit policies in Ranger Admin will include an option,
named 'Policy Type', with 'Allow' and 'Deny' as valid values. Default value
will be 'Allow'.
>> 2. What will be the hierarchy if there is a deny policy or a allow policy
>> for the same user?
Policy engine will evaluate the policies in the following order to determine
authorization:
- Evaluate all 'Deny' policies. If any deny policy matches the access request
(resource, user/group, conditions, access-type), the access will be DENIED and
no other policies will be evaluated.
- After all 'Deny' policies are evaluated, evaluate all 'Allow' policies. If
any 'Allow' policy matches the access request, the access will be ALLOWED. This
step is similar to the existing policy engine flow.
> Add support for deny policies
> ------------------------------
>
> Key: RANGER-606
> URL: https://issues.apache.org/jira/browse/RANGER-606
> Project: Ranger
> Issue Type: Bug
> Components: admin, plugins
> Affects Versions: 0.5.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
>
> Currently Ranger supports creation of policies that can allow access when
> specific conditions are met (for example, resources, user, groups,
> access-type, custom-conditions..). In addition to this, having the ability to
> create policies that deny access for specific conditions will help address
> many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like
> resources/users/groups/access-types/custom-conditions
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
