[
https://issues.apache.org/jira/browse/RANGER-699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14967790#comment-14967790
]
Madhan Neethiraj commented on RANGER-699:
-----------------------------------------
[~yonzhang2012] thanks! I would like to share my initial thoughts on this,
please consider.
All details of a policy (resources, users, groups, accesses, custom-conditions)
are captured in RangerPolicy class. I think It will be helpful for the new API
to use an object of this class, to receive the details of the desired
authorization. This will help to ensure that any future enhancements to
RangerPolicy is automatically available for this new API. Following pseudo code
should help to understand the usage:
{noformat}
public class PublicAPIsv2 {
public RangerPolicy applyPolicy(RangerPolicy policy) { // new API
existingPolicy = findPolicyForResource(policy.resources)
If existingPolicy == null:
ret = createPolicy(policy)
Else:
// 1. update existing policy to remove references to users and groups
listed in policy
For each policyItem in policy:
For each existingPolicyItem in exisingPolicy:
existingPolicyItem.users.remove(policyItem.users)
existingPolicyItem.groups.remove(policyItem.groups)
If isEmpty(existingPolicyItems.users) &&
isEmpty(existingPolicyItems.groups):
deletePolicyItem(existingPolicyItem)
// 2. create policyItems
For each policyItem in policy:
If isNotEmpty(policyItem.accesses):
createPolicyItem(policyItem)
ret = existingPolicy
return ret
}
}
{noformat}
> higher level policy API to hide complexity of policy update/create/delete
> -------------------------------------------------------------------------
>
> Key: RANGER-699
> URL: https://issues.apache.org/jira/browse/RANGER-699
> Project: Ranger
> Issue Type: Improvement
> Components: admin
> Affects Versions: 0.6.0
> Reporter: Edward Zhang
> Fix For: 0.6.0
>
> Original Estimate: 720h
> Remaining Estimate: 720h
>
> Ranger has very good fine-grained policy API with which user can define
> access control rules for any resource. But sometimes it is not human being
> but third party tools may use Ranger policy API to temporarily block or
> unblock user. The third party tool just wants to simply tell Ranger that
> "please block/unblock this user from accessing resource A" and the third
> party tool is not able to analyze the complicated scenarios as follows:
> 1. The exactly same rule already exists for resource A
> 2. The current rules for resource A includes the new rule implicitly
> 3. There is no any rules for resource A
> If it's admin to operate the policy, admin can analyze policy semantics and
> will figure out it's to create a new policy or update an existing policy.
> To better support integration from third party tool, Ranger can provide a
> higher level API which accepts request like "block user access to one
> resource" and internally figure out what policy to create/update.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
