[
https://issues.apache.org/jira/browse/RANGER-877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj reopened RANGER-877:
-------------------------------------
The changes introduced in this JIRA does not allow an exception to be specified
in a policy, so that another policy can determine the authorization result.
This could be desirable behavior for some usecases; hence this change needs to
be reverted.
> Exceptions in policies: allow-exceptions should implicitly deny;
> deny-exceptions should implicitly allow
> --------------------------------------------------------------------------------------------------------
>
> Key: RANGER-877
> URL: https://issues.apache.org/jira/browse/RANGER-877
> Project: Ranger
> Issue Type: Sub-task
> Components: plugins
> Affects Versions: 0.6.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Fix For: 0.6.0
>
> Attachments:
> 0001-RANGER-877-Exceptions-in-policies-allowExceptions-sh.patch
>
>
> In the current policy model (in 0.6), adding an user/group to allowExceptions
> does not automatically deny access to the user/group; the user/group should
> explicitly be added to denyPolicyItems. Similarly adding an user/group to
> denyExceptions does not allow access to the user/group; the user/group should
> explicitly be added to allowPolicyItems.
> While this behavior offers flexibility, it does not seem very intuitive for
> many users. Hence this JIRA to ask for change in the policy engine to
> implicitly treat allowExceptions as deny and denyExceptions as allow.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
