Is Ranger supposed to create a policy automatically allowing access when a user creates a new resource (for example, a hive table)

[Yujie Li <ry...@gmail.com>]

Hi,

I would like to ask a question regarding Ranger behaviors.

With Ranger in picture, every time a user creates a resource (for example,
a Hive table), (In this case, the user is the owner of that table and
expects to have full access to that table) is the Ranger plugin supposed to
create a policy automatically allowing the user to have access to that
table? or is the Ranger administrator expected to manually create a policy
to allow the access for that user ? What is the best practice here?

I am asking this question because we are implementing a Ranger plugin with
our own project within my company. We are having a hard time deciding if we
need to implement the part which automatically creates a policy for newly
created resources. I guess I am asking the Ranger philosophy here since
Ranger is supposed to be the security control center.

But If a new policy gets created every time, there would be a huge number
of policies on Ranger side and performance would be affected by the number.
But if Ranger doesn't create new policies automatically for newly created
resources, users would not be able to access the resources that they just
created and would be confused. And the control would be more strict and it
would be more difficult for the ranger admin to manage multiple users.

I would appreciate it for any advice!

Thanks!

Re: Is Ranger supposed to create a policy automatically allowing access when a user creates a new resource (for example, a hive table)

[Yujie Li <ry...@gmail.com>]

Thank you Abhay!

Best,

Yujie

> On Sep 19, 2017, at 8:47 AM, Abhay Kulkarni <ak...@hortonworks.com> wrote:
> 
> Hi Yujie, 
> 
> Precisely. This policy will allow access to any newly created resource to its owner if the owner info is set correctly in the RangerAccessResourceImpl object.
> 
> Thanks,
> -Abhay
> 
> From: Yujie Li <rydgelee@gmail.com <ma...@gmail.com>>
> Reply-To: "user@ranger.apache.org <ma...@ranger.apache.org>" <user@ranger.apache.org <ma...@ranger.apache.org>>
> Date: Monday, September 18, 2017 at 9:28 PM
> To: "user@ranger.apache.org <ma...@ranger.apache.org>" <user@ranger.apache.org <ma...@ranger.apache.org>>
> Subject: Re: Is Ranger supposed to create a policy automatically allowing access when a user creates a new resource (for example, a hive table)
> 
> Hi Abhay, thanks for your reply!
> 
> Can you elaborate on the first part? Do you mean we should define a policy which sets {OWNER} in the user field? Like the screenshot below:
> 
> <Screen Shot 2017-09-18 at 9.25.39 PM.png>
> 
> With this policy, any newly created resources should be accessible to their owner as long as we have the owner info?
> 
> Thanks!
> 
> 
>> On Sep 18, 2017, at 8:34 PM, Abhay Kulkarni <akulkarni@hortonworks.com <ma...@hortonworks.com>> wrote:
>> 
>> Hi Yujie,
>> 
>> In general, you should not create a new policy for every freshly created resource for the reasons you listed.  OWNER policies supported by Ranger will help in minimizing the number of policies needed for your use-case, if resources in your project support ownership concept.
>> You need to write one Ranger policy a priori which is schematically shown below.
>> “resources" : * ( Matches any accessed resource) 
>> PolicyItem: - “users" : ["{OWNER}”], “groups”: [], “accesses" : [<default accesses to be granted to resource owner>]
>> Your project's access control interface to Ranger needs to provide “owner” of the resource being accessed to Ranger, and Ranger’s representation of your project’s accessed-resource ( which is generally a subclass of RangerAccessResourceImpl) needs to cache it using setOwnerUser() API. The object representing accessed resource needs to be set in Ranger access-request using setResource() API.
>> This policy will grant default accesses specified in the policy to the creator of the resource.
>> 
>> Thanks,
>> -Abhay Kulkarni
>> 
>> 
>> From: Yujie Li <rydgelee@gmail.com <ma...@gmail.com>>
>> Reply-To: "user@ranger.apache.org <ma...@ranger.apache.org>" <user@ranger.apache.org <ma...@ranger.apache.org>>
>> Date: Monday, September 18, 2017 at 4:23 PM
>> To: "user@ranger.apache.org <ma...@ranger.apache.org>" <user@ranger.apache.org <ma...@ranger.apache.org>>
>> Subject: Is Ranger supposed to create a policy automatically allowing access when a user creates a new resource (for example, a hive table)
>> 
>> Hi,
>> 
>> I would like to ask a question regarding Ranger behaviors.
>> 
>> With Ranger in picture, every time a user creates a resource (for example, a Hive table), (In this case, the user is the owner of that table and expects to have full access to that table) is the Ranger plugin supposed to create a policy automatically allowing the user to have access to that table? or is the Ranger administrator expected to manually create a policy to allow the access for that user ? What is the best practice here?
>> 
>> I am asking this question because we are implementing a Ranger plugin with our own project within my company. We are having a hard time deciding if we need to implement the part which automatically creates a policy for newly created resources. I guess I am asking the Ranger philosophy here since Ranger is supposed to be the security control center. 
>> 
>> But If a new policy gets created every time, there would be a huge number of policies on Ranger side and performance would be affected by the number. But if Ranger doesn't create new policies automatically for newly created resources, users would not be able to access the resources that they just created and would be confused. And the control would be more strict and it would be more difficult for the ranger admin to manage multiple users.
>> 
>> I would appreciate it for any advice!
>> 
>> Thanks!
> 
> <Screen Shot 2017-09-18 at 9.25.39 PM.png>

Re: Is Ranger supposed to create a policy automatically allowing access when a user creates a new resource (for example, a hive table)

[Abhay Kulkarni <ak...@hortonworks.com>]

Hi Yujie,

Precisely. This policy will allow access to any newly created resource to its owner if the owner info is set correctly in the RangerAccessResourceImpl object.

Thanks,
-Abhay

From: Yujie Li <ry...@gmail.com>>
Reply-To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Date: Monday, September 18, 2017 at 9:28 PM
To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Subject: Re: Is Ranger supposed to create a policy automatically allowing access when a user creates a new resource (for example, a hive table)

Hi Abhay, thanks for your reply!

Can you elaborate on the first part? Do you mean we should define a policy which sets {OWNER} in the user field? Like the screenshot below:

[cid:D98AEC55-ED5B-4159-BAEF-4E35F0D324E9@attlocal.net]

With this policy, any newly created resources should be accessible to their owner as long as we have the owner info?

Thanks!


On Sep 18, 2017, at 8:34 PM, Abhay Kulkarni <ak...@hortonworks.com>> wrote:

Hi Yujie,

In general, you should not create a new policy for every freshly created resource for the reasons you listed.  OWNER policies supported by Ranger will help in minimizing the number of policies needed for your use-case, if resources in your project support ownership concept.

  1.  You need to write one Ranger policy a priori which is schematically shown below.
     *   "resources" : * ( Matches any accessed resource)
     *   PolicyItem: - "users" : ["{OWNER}"], "groups": [], "accesses" : [<default accesses to be granted to resource owner>]
  2.  Your project's access control interface to Ranger needs to provide "owner" of the resource being accessed to Ranger, and Ranger's representation of your project's accessed-resource ( which is generally a subclass of RangerAccessResourceImpl) needs to cache it using setOwnerUser() API. The object representing accessed resource needs to be set in Ranger access-request using setResource() API.

This policy will grant default accesses specified in the policy to the creator of the resource.

Thanks,
-Abhay Kulkarni


From: Yujie Li <ry...@gmail.com>>
Reply-To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Date: Monday, September 18, 2017 at 4:23 PM
To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Subject: Is Ranger supposed to create a policy automatically allowing access when a user creates a new resource (for example, a hive table)

Hi,

I would like to ask a question regarding Ranger behaviors.

With Ranger in picture, every time a user creates a resource (for example, a Hive table), (In this case, the user is the owner of that table and expects to have full access to that table) is the Ranger plugin supposed to create a policy automatically allowing the user to have access to that table? or is the Ranger administrator expected to manually create a policy to allow the access for that user ? What is the best practice here?

I am asking this question because we are implementing a Ranger plugin with our own project within my company. We are having a hard time deciding if we need to implement the part which automatically creates a policy for newly created resources. I guess I am asking the Ranger philosophy here since Ranger is supposed to be the security control center.

But If a new policy gets created every time, there would be a huge number of policies on Ranger side and performance would be affected by the number. But if Ranger doesn't create new policies automatically for newly created resources, users would not be able to access the resources that they just created and would be confused. And the control would be more strict and it would be more difficult for the ranger admin to manage multiple users.

I would appreciate it for any advice!

Thanks!

Re: Is Ranger supposed to create a policy automatically allowing access when a user creates a new resource (for example, a hive table)

[Yujie Li <ry...@gmail.com>]

Hi Abhay, thanks for your reply!

Can you elaborate on the first part? Do you mean we should define a policy which sets {OWNER} in the user field? Like the screenshot below:



With this policy, any newly created resources should be accessible to their owner as long as we have the owner info?

Thanks!


> On Sep 18, 2017, at 8:34 PM, Abhay Kulkarni <ak...@hortonworks.com> wrote:
> 
> Hi Yujie,
> 
> In general, you should not create a new policy for every freshly created resource for the reasons you listed.  OWNER policies supported by Ranger will help in minimizing the number of policies needed for your use-case, if resources in your project support ownership concept.
> You need to write one Ranger policy a priori which is schematically shown below.
> “resources" : * ( Matches any accessed resource) 
> PolicyItem: - “users" : ["{OWNER}”], “groups”: [], “accesses" : [<default accesses to be granted to resource owner>]
> Your project's access control interface to Ranger needs to provide “owner” of the resource being accessed to Ranger, and Ranger’s representation of your project’s accessed-resource ( which is generally a subclass of RangerAccessResourceImpl) needs to cache it using setOwnerUser() API. The object representing accessed resource needs to be set in Ranger access-request using setResource() API.
> This policy will grant default accesses specified in the policy to the creator of the resource.
> 
> Thanks,
> -Abhay Kulkarni
> 
> 
> From: Yujie Li <rydgelee@gmail.com <ma...@gmail.com>>
> Reply-To: "user@ranger.apache.org <ma...@ranger.apache.org>" <user@ranger.apache.org <ma...@ranger.apache.org>>
> Date: Monday, September 18, 2017 at 4:23 PM
> To: "user@ranger.apache.org <ma...@ranger.apache.org>" <user@ranger.apache.org <ma...@ranger.apache.org>>
> Subject: Is Ranger supposed to create a policy automatically allowing access when a user creates a new resource (for example, a hive table)
> 
> Hi,
> 
> I would like to ask a question regarding Ranger behaviors.
> 
> With Ranger in picture, every time a user creates a resource (for example, a Hive table), (In this case, the user is the owner of that table and expects to have full access to that table) is the Ranger plugin supposed to create a policy automatically allowing the user to have access to that table? or is the Ranger administrator expected to manually create a policy to allow the access for that user ? What is the best practice here?
> 
> I am asking this question because we are implementing a Ranger plugin with our own project within my company. We are having a hard time deciding if we need to implement the part which automatically creates a policy for newly created resources. I guess I am asking the Ranger philosophy here since Ranger is supposed to be the security control center. 
> 
> But If a new policy gets created every time, there would be a huge number of policies on Ranger side and performance would be affected by the number. But if Ranger doesn't create new policies automatically for newly created resources, users would not be able to access the resources that they just created and would be confused. And the control would be more strict and it would be more difficult for the ranger admin to manage multiple users.
> 
> I would appreciate it for any advice!
> 
> Thanks!

Re: Is Ranger supposed to create a policy automatically allowing access when a user creates a new resource (for example, a hive table)

[Abhay Kulkarni <ak...@hortonworks.com>]

Hi Yujie,

In general, you should not create a new policy for every freshly created resource for the reasons you listed.  OWNER policies supported by Ranger will help in minimizing the number of policies needed for your use-case, if resources in your project support ownership concept.

  1.  You need to write one Ranger policy a priori which is schematically shown below.
     *   "resources" : * ( Matches any accessed resource)
     *   PolicyItem: - "users" : ["{OWNER}"], "groups": [], "accesses" : [<default accesses to be granted to resource owner>]
  2.  Your project's access control interface to Ranger needs to provide "owner" of the resource being accessed to Ranger, and Ranger's representation of your project's accessed-resource ( which is generally a subclass of RangerAccessResourceImpl) needs to cache it using setOwnerUser() API. The object representing accessed resource needs to be set in Ranger access-request using setResource() API.

This policy will grant default accesses specified in the policy to the creator of the resource.

Thanks,
-Abhay Kulkarni


From: Yujie Li <ry...@gmail.com>>
Reply-To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Date: Monday, September 18, 2017 at 4:23 PM
To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Subject: Is Ranger supposed to create a policy automatically allowing access when a user creates a new resource (for example, a hive table)

Hi,

I would like to ask a question regarding Ranger behaviors.

With Ranger in picture, every time a user creates a resource (for example, a Hive table), (In this case, the user is the owner of that table and expects to have full access to that table) is the Ranger plugin supposed to create a policy automatically allowing the user to have access to that table? or is the Ranger administrator expected to manually create a policy to allow the access for that user ? What is the best practice here?

I am asking this question because we are implementing a Ranger plugin with our own project within my company. We are having a hard time deciding if we need to implement the part which automatically creates a policy for newly created resources. I guess I am asking the Ranger philosophy here since Ranger is supposed to be the security control center.

But If a new policy gets created every time, there would be a huge number of policies on Ranger side and performance would be affected by the number. But if Ranger doesn't create new policies automatically for newly created resources, users would not be able to access the resources that they just created and would be confused. And the control would be more strict and it would be more difficult for the ranger admin to manage multiple users.

I would appreciate it for any advice!

Thanks!