I am going let Abhay or Madhan to comment on #1 and #2.
Regarding #3, the goal was to emulate grant/revoke. And also (if possible) consolidate the policies for same resources for different users. Regards Bosco From: Eric Alton <sultanapea...@hotmail.com> Reply-To: <user@ranger.apache.org> Date: Friday, August 18, 2017 at 11:34 AM To: "user@ranger.apache.org" <user@ranger.apache.org> Subject: Re: APIs to create, update, and delete policies Thank you both. I used grantPrivileges and revokePrivileges as a guide to code up my own grant and revoke which call RangerBasePlugin.grantAccess() and revokeAccess(). I have a few questions about this: RangerBasePlugin.revokeAccess() does not appear to have an option to drop the policy. When a user creates and later drops a table, I am left with a policy with no permission set. Semantically this is fine, but I would prefer to have these policies dropped. Is there any way to do this? Playing around with replaceExistingPermissions did not help. What is GrantRevokeRequest.requestData used for? Using the RangerBasePlugin.grantAccess() method, there is no way to provide a policy name, correct? Thanks Eric From: Don Bosco Durai <bo...@apache.org> Sent: August 14, 2017 10:06 PM To: user@ranger.apache.org Subject: Re: APIs to create, update, and delete policies Eric Seems you are trying to emulate ownership concept in Ranger. Historically, we have been staying away from owner concept. Generally, in an enterprise, tables are owned by the group, rather than an individual and also there could be separation of duties. If you want individuals to own, then you can come with reg ex patterns, e.g. john_* for user john. In this way, john can create, update and delete any table starting with john_ for the given database. Or create database per user and the user owns all the tables within her/his database. This will not address transferring owner ship though. But if you want to use ownership concept, then one way to reliably implement this one is to override Ranger plugin implementation. You can look into the class RangerHiveAuthorizer for override methods for authorization. You should also look into the method public void grantPrivileges() where the grant/revoke is handled. Thanks Bosco From: Abhay Kulkarni <akulka...@hortonworks.com> Reply-To: <user@ranger.apache.org> Date: Wednesday, August 9, 2017 at 4:41 PM To: "user@ranger.apache.org" <user@ranger.apache.org> Subject: Re: APIs to create, update, and delete policies Hi Eric, REST APIs is the general way to programmatically create, delete, update policies in Ranger. There are no Java APIs for this. You may want to take a look at this document for a list of REST APIs for managing services and policies. It is possible to use either policy-id or service-name and policy-name to update existing policy. Also, you may want to look at applyPolicy() API which may be suitable for your use case. Thanks, -Abhay From: Eric Alton <sultanapea...@hotmail.com> Reply-To: "user@ranger.apache.org" <user@ranger.apache.org> Date: Wednesday, August 9, 2017 at 1:49 PM To: "user@ranger.apache.org" <user@ranger.apache.org> Subject: APIs to create, update, and delete policies I'm looking for suggestions on how best to implement this scenario. User1 creates a table in their database. This should trigger the automatic creation of a Ranger policy granting User1 full access to the table. User1 transfers ownership of the table to User2. The Ranger policy is updated to grant full access to User2 and remove access from User1. User2 drops the table. The Ranger policy is deleted. Are the REST APIs the only way to programmatically create, delete, and update policies? We are using RangerBasePlugin.isAccessAllowed to test user access, but I don't see any Java APIs for policy creation and maintenance. Assuming the REST APIs are the only solution, it looks like the create policy REST API returns the policy ID. Do I need to store this ID so that it can be used to update and delete the policy later? In other words, is there any way to update or delete a policy by passing in fields other than the ID (ie. policy name, or table schema + table name + user)?