[jira] [Commented] (RANGER-606) Add support for deny policies

Tue, 25 Aug 2015 08:14:46 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14711418#comment-14711418
 ] 

Balaji Ganesan commented on RANGER-606:
---------------------------------------

[~madhan.neethiraj] Currently, the resource policies are simple enough to 
understand. If you do not have a policy, there is no access. We do have a 
federated model in HDFS where we do rely on native HDFS permissions. 
Introducing deny adds in a layer of complexity. For example

# If a Hive policy has columns excluded in the resources section, and we deny 
the user for this set of resources, what does that really mean? It would mean 
user is denied for all columns except the column excluded in resource section. 
A layman policy creator will really need to think through before constructing a 
policy

# In HDFS, if introduce a deny in the policy, does that mean we do not fall 
back to HDFS permissions? What are the implications of that for Falcon and 
other components which set permissions natively?

The point is resource level deny introduces another layer of complexity, and we 
should not be unleashing it on Ranger users unless there is a clear value 
proposition. 

> Add support for deny policies 
> ------------------------------
>
>                 Key: RANGER-606
>                 URL: https://issues.apache.org/jira/browse/RANGER-606
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, plugins
>    Affects Versions: 0.5.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.5.0
>
>
> Currently Ranger supports creation of policies that can allow access when 
> specific conditions are met (for example, resources, user, groups, 
> access-type, custom-conditions..). In addition to this, having the ability to 
> create policies that deny access for specific conditions will help address 
> many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like 
> resources/users/groups/access-types/custom-conditions



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to