[
https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14695962#comment-14695962
]
Balaji Ganesan commented on RANGER-606:
---------------------------------------
[~madhan.neethiraj] My concern is we are overburdening existing users with a
feature that they may not have asked for. User are using Ranger for explicitly
granting access, and now we are introducing deny across all the services, all
the policies. My question is why do we need to do that? For my, deny can start
as a global blacklist and gradually be introduced at classification/tag level
and then into resource based policies.
Please don't get me wrong. Having a deny option is great for all policies, but
do users really need it? Do we need to have option to deny users at Storm or
Kafka level? Blocking users by ip might make sense for Kafka, but what about
Storm? Or Yarn?
> Add support for deny policies
> ------------------------------
>
> Key: RANGER-606
> URL: https://issues.apache.org/jira/browse/RANGER-606
> Project: Ranger
> Issue Type: Bug
> Components: admin, plugins
> Affects Versions: 0.5.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Fix For: 0.5.0
>
>
> Currently Ranger supports creation of policies that can allow access when
> specific conditions are met (for example, resources, user, groups,
> access-type, custom-conditions..). In addition to this, having the ability to
> create policies that deny access for specific conditions will help address
> many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like
> resources/users/groups/access-types/custom-conditions
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
