subject:"\[jira\] \[Commented\] \(RANGER\-4165\) API to find whether a user\/group is authorized to the give operation on any resource of give type"

[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

2023-03-31 Thread Ramesh Mani (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707430#comment-17707430
 ] 

Ramesh Mani commented on RANGER-4165:
-

[~mad...@apache.org]  Thanks for the clarification and suggestion. I shall 
check on this.

> API to find whether a user/group is authorized to the give operation on any 
> resource of give type
> -
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the give operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

2023-03-31 Thread Madhan Neethiraj (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707414#comment-17707414
 ] 

Madhan Neethiraj commented on RANGER-4165:
--

{quote}This is needed to implement a Ranger Kafka authorizer API which checks 
if the caller is authorized to perform the given ACL operation on at least one 
resource of the given type.
{quote}
[~rmani]  - as you called out, there is no way to ask the policy-engine to find 
if a given user has specific access on _any_ resource of a given type. For 
example, find if user1 has WRITE access on _any_ TOPIC. This will require 
special provision to represent *_any_* TOPIC.

One option to consider is to use a value like '**' to represent _*any*_ 
resource, similar to {{{}RangerAbstractResourceMatcher.WILDCARD_ASTERISK{}}}. 
And have resource matcher implementations updated to handle this special case.

> API to find whether a user/group is authorized to the give operation on any 
> resource of give type
> -
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the give operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

2023-03-31 Thread Ramesh Mani (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707395#comment-17707395
 ] 

Ramesh Mani commented on RANGER-4165:
-

[~mad...@apache.org] [~abhayk] 

Currently policeEngine apis doesn't have a way to figure of this request. All 
we can do it run through all the polices and find all the resources of given 
type and run the authorizer for each of those resources found for the call.  
This may not be the efficient way to get the result.  

Is there a better way to find this like having cache for resources in the 
policies and  run through the policy engine?

> API to find whether a user/group is authorized to the give operation on any 
> resource of give type
> -
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the give operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

3 matches

Site Navigation

Mail list logo

Footer information