[
https://issues.apache.org/jira/browse/RANGER-699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15001412#comment-15001412
]
Madhan Neethiraj commented on RANGER-699:
-----------------------------------------
[~yonzhang2012] If this REST API does not require the callers to know the
status of the user/group (i.e. whether allowed or denied, list of accessTypes)
in the policy being updated, then the API implementation should do the
following:
{noformat}
- for each policyItem in givenPolicy.policyItems:
remove the users/groups referenced in the policyItem from all
existingPolicy.policyItems and existingPolicy.denyPolicyItems
add policyItem to existingPolicy.policyItems
- for each policyItem in givenPolicy.denyPolicyItems:
remove the users/groups referenced in the policyItem from all
existingPolicy.policyItems and existingPolicy.denyPolicyItems
add policyItem to existingPolicy.denyPolicyItems
{noformat}
This should result in the updated policy to have all the permissions specified
in the givenPolicy.
Above logic should be extended to deal with allowExceptions/denyExceptions in
the givenPolicy and extendedPolicy; but I think implementing the above should
be the first step and might satisfy your requirements.
I apologize for the delay in my response.
> higher level policy API to hide complexity of policy update/create/delete
> -------------------------------------------------------------------------
>
> Key: RANGER-699
> URL: https://issues.apache.org/jira/browse/RANGER-699
> Project: Ranger
> Issue Type: Improvement
> Components: admin
> Affects Versions: 0.6.0
> Reporter: Edward Zhang
> Assignee: Edward Zhang
> Fix For: 0.6.0
>
> Original Estimate: 720h
> Remaining Estimate: 720h
>
> Ranger has very good fine-grained policy API with which user can define
> access control rules for any resource. But sometimes it is not human being
> but third party tools may use Ranger policy API to temporarily block or
> unblock user. The third party tool just wants to simply tell Ranger that
> "please block/unblock this user from accessing resource A" and the third
> party tool is not able to analyze the complicated scenarios as follows:
> 1. The exactly same rule already exists for resource A
> 2. The current rules for resource A includes the new rule implicitly
> 3. There is no any rules for resource A
> If it's admin to operate the policy, admin can analyze policy semantics and
> will figure out it's to create a new policy or update an existing policy.
> To better support integration from third party tool, Ranger can provide a
> higher level API which accepts request like "block user access to one
> resource" and internally figure out what policy to create/update.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
