You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Elliot West <te...@gmail.com> on 2021/01/04 09:16:02 UTC
Multi-tag policy evaluation
Hello,
I'm implementing some custom plug-ins that have their own non-Atlas tag
sources. In my authorisation model, a resource may have multiple tags
assigned to it concurrently.
For example, If resource R has tags A and B assigned, then I would expect
that a access request for resource R might consider resource policies
matching R, and tag policies matching A and B.
As I understand it, when I want to perform an authorisation request within
a plugin implementation I will need to pass through a suitable
RangerAccessRequest to the RangerBasePlugin instance. However, I'm unable
to find a RangerAccessResource that allows me to specify multiple tags. The
closest I can find is RangerTagResource that allows the specification of a
single tag.
How should I evaluate access requests for resources with multiple tags? My
current assumption is that I must evaluate a request for each tag assigned
to the accessed resource in turn and then logically AND them? However, this
would seem to me to equate to additional, unencapsulated, and hidden policy
evaluation logic.
I would appreciate any insights that others have on this.
Many thanks,
Elliot.
Re: Multi-tag policy evaluation
Posted by Elliot West <te...@gmail.com>.
Hey Bosco, thank you for the reply.
So are you suggesting that I can push the resource-tag mappings into
Ranger, and then when performing a resource access request evaluation,
Ranger will use this mapping to determine which tags are associated with
the resource?
Elliot.
On Mon, 4 Jan 2021 at 15:54, Don Bosco Durai <bo...@apache.org> wrote:
> Hi Elliot
>
>
>
> Are the tags in Ranger, if so, won’t it automatically take care of your
> use case?
>
>
>
> Bosco
>
>
>
>
>
> *From: *Elliot West <te...@gmail.com>
> *Reply-To: *<us...@ranger.apache.org>
> *Date: *Monday, January 4, 2021 at 1:16 AM
> *To: *<us...@ranger.apache.org>
> *Subject: *Multi-tag policy evaluation
>
>
>
> Hello,
>
>
>
> I'm implementing some custom plug-ins that have their own non-Atlas tag
> sources. In my authorisation model, a resource may have multiple tags
> assigned to it concurrently.
>
>
>
> For example, If resource R has tags A and B assigned, then I would expect
> that a access request for resource R might consider resource policies
> matching R, and tag policies matching A and B.
>
>
>
> As I understand it, when I want to perform an authorisation request within
> a plugin implementation I will need to pass through a suitable
> RangerAccessRequest to the RangerBasePlugin instance. However, I'm unable
> to find a RangerAccessResource that allows me to specify multiple tags. The
> closest I can find is RangerTagResource that allows the specification of a
> single tag.
>
>
>
> How should I evaluate access requests for resources with multiple tags? My
> current assumption is that I must evaluate a request for each tag assigned
> to the accessed resource in turn and then logically AND them? However, this
> would seem to me to equate to additional, unencapsulated, and hidden policy
> evaluation logic.
>
>
>
> I would appreciate any insights that others have on this.
>
>
>
> Many thanks,
>
>
>
> Elliot.
>
Re: Multi-tag policy evaluation
Posted by Don Bosco Durai <bo...@apache.org>.
Hi Elliot
Are the tags in Ranger, if so, won’t it automatically take care of your use case?
Bosco
From: Elliot West <te...@gmail.com>
Reply-To: <us...@ranger.apache.org>
Date: Monday, January 4, 2021 at 1:16 AM
To: <us...@ranger.apache.org>
Subject: Multi-tag policy evaluation
Hello,
I'm implementing some custom plug-ins that have their own non-Atlas tag sources. In my authorisation model, a resource may have multiple tags assigned to it concurrently.
For example, If resource R has tags A and B assigned, then I would expect that a access request for resource R might consider resource policies matching R, and tag policies matching A and B.
As I understand it, when I want to perform an authorisation request within a plugin implementation I will need to pass through a suitable RangerAccessRequest to the RangerBasePlugin instance. However, I'm unable to find a RangerAccessResource that allows me to specify multiple tags. The closest I can find is RangerTagResource that allows the specification of a single tag.
How should I evaluate access requests for resources with multiple tags? My current assumption is that I must evaluate a request for each tag assigned to the accessed resource in turn and then logically AND them? However, this would seem to me to equate to additional, unencapsulated, and hidden policy evaluation logic.
I would appreciate any insights that others have on this.
Many thanks,
Elliot.