[
https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14710827#comment-14710827
]
Madhan Neethiraj commented on RANGER-606:
-----------------------------------------
[~bosco] Current authorization policies in Ranger are centered around resources
(files/directories/database/tables/columns/column-families/...). Can you please
share your concerns on updating the current policy mode to support deny (in
addition to the current allow)? I think deny will be the most straight forward
case to understand and use. Further usecases, like the ones below, would
require more discussion - to ensure ease-of-use and manageability:
- for a given resource, deny everything except the ones allowed by this
policy. For example:
- allow access to /hr/admin/* directory *only* to hr-admin group
- allow access to expired_data only to archival user
- the opposite of the above: for a given resource, allow everything except the
ones denied by this policy
> Add support for deny policies
> ------------------------------
>
> Key: RANGER-606
> URL: https://issues.apache.org/jira/browse/RANGER-606
> Project: Ranger
> Issue Type: Bug
> Components: admin, plugins
> Affects Versions: 0.5.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Fix For: 0.5.0
>
>
> Currently Ranger supports creation of policies that can allow access when
> specific conditions are met (for example, resources, user, groups,
> access-type, custom-conditions..). In addition to this, having the ability to
> create policies that deny access for specific conditions will help address
> many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like
> resources/users/groups/access-types/custom-conditions
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
