[jira] [Commented] (RANGER-606) Add support for deny policies

Sun, 16 Aug 2015 21:15:07 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14698992#comment-14698992
 ] 

Balaji Ganesan commented on RANGER-606:
---------------------------------------

[~madhan.neethiraj]

>>Is the requirement restricted to deny all access to a given set of 
>>users/groups?
Yes, the requirement I could think is to block certain users and groups across 
all services

>>Will there be a need to deny only a subset of access to based on certain 
>>conditions like time-of-day/geo-locations/ip-address? Like deny write access 
>>to selective resources to a set of: 1) suspected ip-addresses 2) 
>>time-of-the-day like before market open/ after market close 3) geographic 
>>locations like countries/states?
I would assume is, my point is we can build the deny capability iteratively. We 
do support IP address bind for certain services such as Knox, and it is more of 
a whitelist than blacklist. For IP address, I would imagine user including IP 
address which are allowed than including rogue IP as being denied. Ditto for 
time of the day. We can include time as between 9a-5p as the only time allowed 
for policy rather than restricting access if time is later than 5p. 
I am sure users would eventually morph into service/component level deny, but I 
have not seen any major requirement coming in from our users. 

> Add support for deny policies 
> ------------------------------
>
>                 Key: RANGER-606
>                 URL: https://issues.apache.org/jira/browse/RANGER-606
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, plugins
>    Affects Versions: 0.5.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.5.0
>
>
> Currently Ranger supports creation of policies that can allow access when 
> specific conditions are met (for example, resources, user, groups, 
> access-type, custom-conditions..). In addition to this, having the ability to 
> create policies that deny access for specific conditions will help address 
> many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like 
> resources/users/groups/access-types/custom-conditions



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to