[
https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14979759#comment-14979759
]
Balaji Ganesan commented on RANGER-606:
---------------------------------------
Yan, thanks for your response. I had some issues understanding your
alternative proposals. Would you be kind enough and explain your proposal
with some examples? Time stamped policies, though make sense technically,
sound more complex to an average user to keep track of. If a security
solution is complex, users would probably stop using it.
My take would be keep the policy definition to start with and iterate as we
get feedback from Ranger user community. The initial concern with deny
exceptions was that users would need to be intelligent enough to figure out
to use that if they need to exclude users from a global deny.
> Add support for deny policies
> ------------------------------
>
> Key: RANGER-606
> URL: https://issues.apache.org/jira/browse/RANGER-606
> Project: Ranger
> Issue Type: Bug
> Components: admin, plugins
> Affects Versions: 0.5.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Fix For: 0.5.0
>
>
> Currently Ranger supports creation of policies that can allow access when
> specific conditions are met (for example, resources, user, groups,
> access-type, custom-conditions..). In addition to this, having the ability to
> create policies that deny access for specific conditions will help address
> many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like
> resources/users/groups/access-types/custom-conditions
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
