[
https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14694893#comment-14694893
]
Madhan Neethiraj commented on RANGER-606:
-----------------------------------------
>>Existing UI for create/edit policies in Ranger Admin will include an option,
>>named 'Policy Type', with 'Allow' and 'Deny' as valid values. Default value
>>will be 'Allow'.
>>>> Why are using the existing policy screen? It would add to the complexity
>>>> of managing a policy. The deny should be part of a separate UI screen, imo.
How would the UI for deny policy be different from allow policy? I think the
content will exactly be the same - resources, multiple policyItems with {
users/groups, access-types, custom-conditions }. This will enable creating
policies like:
- deny US-employees access to specific tables
- deny all users write access to specific files during specific time slots in
a day
> Add support for deny policies
> ------------------------------
>
> Key: RANGER-606
> URL: https://issues.apache.org/jira/browse/RANGER-606
> Project: Ranger
> Issue Type: Bug
> Components: admin, plugins
> Affects Versions: 0.5.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Fix For: 0.5.0
>
>
> Currently Ranger supports creation of policies that can allow access when
> specific conditions are met (for example, resources, user, groups,
> access-type, custom-conditions..). In addition to this, having the ability to
> create policies that deny access for specific conditions will help address
> many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like
> resources/users/groups/access-types/custom-conditions
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
