[jira] [Commented] (RANGER-605) Create a default tag policy for 'EXPIRES_ON' tag name when a new tag service is created

Sun, 16 Aug 2015 10:55:30 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14698798#comment-14698798
 ] 

Abhay Kulkarni commented on RANGER-605:
---------------------------------------

1. TAG service definition will support a 'policyCondition' (named 
EnforceExpiry) which will enforce access permission based on value of 
'expiry_date' attribute of 'EXPIRES_ON' tag. This tag and the value of the 
tag-attribute will be specified during data-tagging operation and provided to 
Ranger.

2. When a new TAG service is created, RANGER will also created a default 
TAG-base policy under the TAG service of type 'ALLOW_EXCLUSIVE', for TAG 
'EXPIRES_ON' with group as 'public' and all permission to all supported 
components.

3. During policy evaluation, policy-engine will identify the expired data if it 
tagged as 'EXPIRES_ON'. It will then consider the value provided for 
'EnforceExpiry' condition; 'no' or 'false' will bypass this check, any other 
value will enforce the check. If expiry needs to be checked, then 
ExpiryEnforcer will use value of 'expiry_date'  to return a boolean value 
indicating if current time is greater than 'expiry_date'. If 'false' then 
access will not be granted for this policy-item.

> Create a default tag policy for 'EXPIRES_ON' tag name when a new tag service 
> is created
> ---------------------------------------------------------------------------------------
>
>                 Key: RANGER-605
>                 URL: https://issues.apache.org/jira/browse/RANGER-605
>             Project: Ranger
>          Issue Type: Sub-task
>          Components: admin
>    Affects Versions: 0.5.0
>            Reporter: Abhay
>            Assignee: Abhay Kulkarni
>
> Ranger needs to support  enforcement of limited time access to data 
> identified as expirable. To achieve this, a default tag-based policy is 
> created under a newly created tag-service with tag-name as 'EXPIRES_ON' and 
> an attribute 'expiry_date' which contains time value after which access to 
> data tagged with 'EXPIRES_ON' needs to be blocked.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to