Madhan, thanks for putting this document together. It is looking good. Can I make a few suggestions: Call out each use case as separate section. E.g. 2.2.3 for "HDFS policy that allows all finance group users to access contents of /finance folder, but denies access to users in interns group. Users in interns group will be denied the access even if they are part of finance group.” Can we also add a simple use case of global “Deny”. E.g Deny all users from “interns” group from accessing table “Employees" The label “Exceptions”, can we make it more explicit. E.g. “Exclude from Allow Conditions” and “Exclude from Deny Conditions” Probably one small paragraph to explain “Exceptions” will be good. I think, this is sort of a new concept. Section 3 “Policy Evaluation”, it seems to be a flow chart. Can we create flow chart diagram. It will be easy to understand Thanks again. Let me know if you need help in the documentation.
Bosco From: Madhan Neethiraj Reply-To: <[email protected]> Date: Monday, October 12, 2015 at 5:46 PM To: "[email protected]" Subject: [DISCUSS] Policy model enhancement to support deny-conditions and exceptions All, Apache Ranger policy model enhancement to support deny-conditions and exceptions (RANGER-606) is available in tag-policy branch. This enhancement adds the capability to explicitly deny access to resources based on users/groups, access-types and custom-conditions. It also supports allow/deny to be specified for a wider group (like employees, public, etc) but exclude specific users/groups who might be part of the wider groups. An overview of the implementation, along with few examples is available in Apache wiki page here. Please review. Thanks, Madhan
