You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Ramesh Bhanan <in...@gmail.com> on 2020/08/12 09:19:08 UTC
Info required: Ranger policy evaluation hierarchical
Hello Rangers,
Needed some clarification with how the policy hierarchical evaluation works
for following criteria.
{"resources":
[
{
"itemId": 1,
* "name": "catalog",*
"type": "string",
"mandatory": true,
"level": 10,
"matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":true },
"label": "Presto Catalog",
"accessTypeRestrictions":["select", "update", "create", "drop",
"alter", "lock"],
"isValidLeaf": true
},
{
"itemId": 2,
* "name": "schema",*
"type": "string",
"level": 20,
* "parent": "catalog",*
"mandatory": true,
"matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":true },
"label": " Presto Table",
"accessTypeRestrictions":["select", "update", "create", "drop",
"alter", "index", "lock"],
"isValidLeaf": true
}
]
}
And my policy details as below,
Catalog
Schema
User
Permission
testCat1
testSch1
user1
ALL
With the above setting If i execute
1. rangerPlugin.isAccessAllowed(Resource(testCat1) with perm SELECT==>
*FALSE*
2. rangerPlugin.isAccessAllowed(Resource(testCat1, testSch1) with perm
SELECT==>*TRUE*
Why not *case 1*. return TRUE in this case?
In an ideal world it should have been *TRUE*, since there are some items
for User1 which he has got valid access to. And servicedef contains a
parent/child relationship.
Please shed some light around this,
FYI:
Example servicedef is copied from Presto, And the codes are psuedo.
Thanks,
RameshByndoor