[jira] [Comment Edited] (RANGER-874) Deny & allow/deny exceptions in policies should be optional

Thu, 07 Apr 2016 16:00:03 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-874?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15231294#comment-15231294
 ] 

Madhan Neethiraj edited comment on RANGER-874 at 4/7/16 10:58 PM:
------------------------------------------------------------------

To enable deny & allow/deny exceptions for a servicedef, update "options" 
attribute of the servicedef with the entry shown below:

{code}
"options": {
  "enableDenyAndExceptionsInPolicies":"true"
}
{code}



was (Author: madhan.neethiraj):
To enable deny & allow/deny exceptions for a servicedef, update "options" 
attribute of the servicedef with the entry shown below:

{code}
"options": {
  "enableDenyAndExceptionsInPolicies":true
}
{code}


> Deny & allow/deny exceptions in policies should be optional
> -----------------------------------------------------------
>
>                 Key: RANGER-874
>                 URL: https://issues.apache.org/jira/browse/RANGER-874
>             Project: Ranger
>          Issue Type: Sub-task
>          Components: admin
>    Affects Versions: 0.6.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.6.0
>
>         Attachments: 
> 0001-RANGER-874-deny-and-exceptions-in-policy-items-made-.patch
>
>
> Ranger policy model in 0.5 release and earlier supported the ability to 
> specify the conditions (user/group/ip/custom-condtions) to allow an access to 
> a resource. The policy model has been updated for the next release (0.6), 
> with ability to specify conditions to deny an access to a resource on 
> specified conditions (users/groups/custom-conditions).
> To support this update, Ranger Policy UI has been enhanced to show 
> policy-items in 4 groups: allow, allow-exceptions, deny and deny-exceptions. 
> Comments earlier in RANGER-606 suggested that introduction of deny and 
> exceptions adds complexity. To address this concern, the enhancements will be 
> made optional via servicedef. Only servicedefs that opt-in (for deny and 
> exceptions in policies) will be able to use these enhancements. For 
> servicedefs that don't opt-in, Ranger Admin will not show deny and exception 
> policy-item groups; also the policy-engine will ignore dent and exception 
> policy-items if found in policies - there by maintaining the simplicity of 
> the current policy model.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to