Hi Yujie,
In general, you should not create a new policy for every freshly created
resource for the reasons you listed. OWNER policies supported by Ranger will
help in minimizing the number of policies needed for your use-case, if
resources in your project support ownership concept.
1. You need to write one Ranger policy a priori which is schematically shown
below.
* "resources" : * ( Matches any accessed resource)
* PolicyItem: - "users" : ["{OWNER}"], "groups": [], "accesses" :
[<default accesses to be granted to resource owner>]
2. Your project's access control interface to Ranger needs to provide
"owner" of the resource being accessed to Ranger, and Ranger's representation
of your project's accessed-resource ( which is generally a subclass of
RangerAccessResourceImpl) needs to cache it using setOwnerUser() API. The
object representing accessed resource needs to be set in Ranger access-request
using setResource() API.
This policy will grant default accesses specified in the policy to the creator
of the resource.
Thanks,
-Abhay Kulkarni
From: Yujie Li <rydge...@gmail.com<mailto:rydge...@gmail.com>>
Reply-To: "user@ranger.apache.org<mailto:user@ranger.apache.org>"
<user@ranger.apache.org<mailto:user@ranger.apache.org>>
Date: Monday, September 18, 2017 at 4:23 PM
To: "user@ranger.apache.org<mailto:user@ranger.apache.org>"
<user@ranger.apache.org<mailto:user@ranger.apache.org>>
Subject: Is Ranger supposed to create a policy automatically allowing access
when a user creates a new resource (for example, a hive table)
Hi,
I would like to ask a question regarding Ranger behaviors.
With Ranger in picture, every time a user creates a resource (for example, a
Hive table), (In this case, the user is the owner of that table and expects to
have full access to that table) is the Ranger plugin supposed to create a
policy automatically allowing the user to have access to that table? or is the
Ranger administrator expected to manually create a policy to allow the access
for that user ? What is the best practice here?
I am asking this question because we are implementing a Ranger plugin with our
own project within my company. We are having a hard time deciding if we need to
implement the part which automatically creates a policy for newly created
resources. I guess I am asking the Ranger philosophy here since Ranger is
supposed to be the security control center.
But If a new policy gets created every time, there would be a huge number of
policies on Ranger side and performance would be affected by the number. But if
Ranger doesn't create new policies automatically for newly created resources,
users would not be able to access the resources that they just created and
would be confused. And the control would be more strict and it would be more
difficult for the ranger admin to manage multiple users.
I would appreciate it for any advice!
Thanks!
