You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Ramesh Bhanan <in...@gmail.com> on 2020/08/12 09:19:08 UTC

Info required: Ranger policy evaluation hierarchical

Hello Rangers,

Needed some clarification with how the policy hierarchical evaluation works
for following criteria.

{"resources":
  [
    {
      "itemId": 1,
    *  "name": "catalog",*
      "type": "string",
 "mandatory": true,
      "level": 10,
      "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
      "matcherOptions": { "wildCard":true, "ignoreCase":true },
      "label": "Presto Catalog",
      "accessTypeRestrictions":["select", "update", "create", "drop",
"alter", "lock"],
      "isValidLeaf": true
    },
{
      "itemId": 2,
     * "name": "schema",*
      "type": "string",
      "level": 20,
     * "parent": "catalog",*
      "mandatory": true,
      "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
      "matcherOptions": { "wildCard":true, "ignoreCase":true },
      "label": " Presto Table",
      "accessTypeRestrictions":["select", "update", "create", "drop",
"alter", "index", "lock"],
      "isValidLeaf": true
    }
]
}

And my policy details as below,

Catalog

Schema

User

Permission

testCat1

testSch1

user1

ALL

With the above setting If i execute
1. rangerPlugin.isAccessAllowed(Resource(testCat1) with perm SELECT==>
*FALSE*
2. rangerPlugin.isAccessAllowed(Resource(testCat1, testSch1) with perm
SELECT==>*TRUE*

Why not *case 1*. return TRUE in this case?

In an ideal world it should have been *TRUE*, since there are some items
for User1 which he has got valid access to. And servicedef contains a
parent/child relationship.
Please shed some light around this,

FYI:
Example servicedef is copied from Presto, And the codes are psuedo.

Thanks,
RameshByndoor