You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Bolke de Bruin (JIRA)" <ji...@apache.org> on 2018/12/04 13:44:00 UTC
[jira] [Updated] (RANGER-2302) Clients should be able to add tag
information to access requests
[ https://issues.apache.org/jira/browse/RANGER-2302?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bolke de Bruin updated RANGER-2302:
-----------------------------------
Attachment: 0001-RANGER-2302-Add-client-tags.patch
> Clients should be able to add tag information to access requests
> ----------------------------------------------------------------
>
> Key: RANGER-2302
> URL: https://issues.apache.org/jira/browse/RANGER-2302
> Project: Ranger
> Issue Type: Bug
> Components: tagsync
> Affects Versions: 1.2.0
> Reporter: Bolke de Bruin
> Priority: Major
> Labels: tags
> Attachments: 0001-RANGER-2302-Add-client-tags.patch
>
>
> Ranger currently assumes that clients are tag unaware. It, for example, syncs tag information with Atlas. This has several issues:
> # It assumes Ranger is the single source of truth connecting resource and tag information
> # As the tagsync is not happening realtime (either due to Kafka delay or due to caching) security issues can pop up. E.g. copy a file with PII info to different location has a time window that Ranger is unaware of the tag.
> If the client is tag aware it could supply the tags that it knows of as part of the request. This ensures immediate availability and propagation of tags.
> A backward compatible implementation could be to use {color:#9876aa}KEY_USER_TAGS {color}with a delimiter as part of the RangerAccessResource request and have RangerTagEnricher pick up these tags
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)