You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Madhan Neethiraj (Jira)" <ji...@apache.org> on 2022/02/12 07:38:00 UTC
[jira] [Commented] (RANGER-3617) incorrect deny for _any access due to tag policy
[ https://issues.apache.org/jira/browse/RANGER-3617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17491288#comment-17491288 ]
Madhan Neethiraj commented on RANGER-3617:
------------------------------------------
master branch:
{noformat}
commit 9a2c732d6584802d30e7e847a1e6b8c4050e5652 (HEAD -> master, origin/master, origin/HEAD)
Author: Madhan Neethiraj <ma...@apache.org>
Date: Thu Feb 10 15:23:09 2022 -0800
RANGER-3617: incorrect deny for _any access due to tag policy
{noformat}
ranger-2.3 branch:
{noformat}
commit 70c614b1ab936e3f8d17d749b7ea78be499e58e4 (HEAD -> ranger-2.3, origin/ranger-2.3)
Author: Madhan Neethiraj <ma...@apache.org>
Date: Thu Feb 10 15:23:09 2022 -0800
RANGER-3617: incorrect deny for _any access due to tag policy
(cherry picked from commit 9a2c732d6584802d30e7e847a1e6b8c4050e5652)
{noformat}
> incorrect deny for _any access due to tag policy
> ------------------------------------------------
>
> Key: RANGER-3617
> URL: https://issues.apache.org/jira/browse/RANGER-3617
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.1.0, 2.2.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
> Fix For: 3.0.0, 2.3.0
>
> Attachments: RANGER-3617.patch
>
>
> API to check if user has any access within a resource returns deny when a tag-based policy denies access to a child resource, even though another policy allows access to a different child resource. More details to reproduce the issue below:
> # Policy on tag={{{}RESTRICTED{}}} denies {{select}} access to user2
> # A resource-based policy allows {{select}} access to user2 on {{database=\*, table=\*, column=\*}}
> # Column {{finance.tax_2016.name}} is tagged with {{RESTRICTED}}
> # user2 is denied {{select}} on this column by above tag-based policy – this is as expected
> # user2 is denied {{_any}} on {{finance}} database (like "use finance;") by above tag-based policy – which is incorrect
> Expected: access should have been allowed by above resource-based policy
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)