[
https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14990892#comment-14990892
]
Balaji Ganesan commented on RANGER-606:
---------------------------------------
[~yzhou2001] Thanks for your feedback again and sorry for the late reply. My
comments based on your response
<<DENY is to be added, but not as a different type of policy item; but as a
convenience utility and work in the scope of individual repositories>>
I was thinking of adding Deny in the service definition, which would mean deny
could be added per service. For example, Hive service definition could like
this (I have attached a link for service definition with this JIRA).
"policyTypes":
[
{
"itemId": 1,
"name": "allow",
"label": "Allow"
},
{
"itemId": 2,
"name": "allow-exception",
"label": "Allow-Exception"
},
{
"itemId": 3,
"name": "Deny",
"label": "Deny"
},
{
"itemId": 4,
"name": "deny-exception",
"label": "Deny-Exception"
},
]
We probably need a UI to change this. This is similar to a repository, except
it can be applied easily using REST APIs or potentially UI. We can have deny
policies for tag level policies only or only for Hive.
<< For each type of resources, identify the privilege keys, adding the guard in
code against the attempts to create duplicate entries on the keys to guarantee
the privilege uniqueness. For instance, currently for HDFS, path is used as a
key to guarantee the uniqueness between policies. In addition, the user list
too should be checked in each policy to guarantee the uniqueness of the
combinatorial key of (path, user)>>
Ranger creates an error if the users tries to create policy for same resource.
I like the idea of make it smarter to involve users in the check as well. With
the introduction of tag policies, there will be conflicts between tag policies
and individual resource level policies, the code should check if there is a tag
existing for a resource and if there is a policy existing for that. We can
probably create a discuss thread on this. Is this something you would be
interested to help with?
> Add support for deny policies
> ------------------------------
>
> Key: RANGER-606
> URL: https://issues.apache.org/jira/browse/RANGER-606
> Project: Ranger
> Issue Type: Bug
> Components: admin, plugins
> Affects Versions: 0.5.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Fix For: 0.5.0
>
>
> Currently Ranger supports creation of policies that can allow access when
> specific conditions are met (for example, resources, user, groups,
> access-type, custom-conditions..). In addition to this, having the ability to
> create policies that deny access for specific conditions will help address
> many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like
> resources/users/groups/access-types/custom-conditions
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
