You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Madhan Neethiraj (JIRA)" <ji...@apache.org> on 2016/04/07 23:16:25 UTC
[jira] [Reopened] (RANGER-877) Exceptions in policies:
allow-exceptions should implicitly deny; deny-exceptions should implicitly
allow
[ https://issues.apache.org/jira/browse/RANGER-877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Madhan Neethiraj reopened RANGER-877:
-------------------------------------
The changes introduced in this JIRA does not allow an exception to be specified in a policy, so that another policy can determine the authorization result. This could be desirable behavior for some usecases; hence this change needs to be reverted.
> Exceptions in policies: allow-exceptions should implicitly deny; deny-exceptions should implicitly allow
> --------------------------------------------------------------------------------------------------------
>
> Key: RANGER-877
> URL: https://issues.apache.org/jira/browse/RANGER-877
> Project: Ranger
> Issue Type: Sub-task
> Components: plugins
> Affects Versions: 0.6.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Fix For: 0.6.0
>
> Attachments: 0001-RANGER-877-Exceptions-in-policies-allowExceptions-sh.patch
>
>
> In the current policy model (in 0.6), adding an user/group to allowExceptions does not automatically deny access to the user/group; the user/group should explicitly be added to denyPolicyItems. Similarly adding an user/group to denyExceptions does not allow access to the user/group; the user/group should explicitly be added to allowPolicyItems.
> While this behavior offers flexibility, it does not seem very intuitive for many users. Hence this JIRA to ask for change in the policy engine to implicitly treat allowExceptions as deny and denyExceptions as allow.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)