You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Madhan Neethiraj (Jira)" <ji...@apache.org> on 2022/02/12 07:38:00 UTC

[jira] [Commented] (RANGER-3617) incorrect deny for _any access due to tag policy

    [ https://issues.apache.org/jira/browse/RANGER-3617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17491288#comment-17491288 ] 

Madhan Neethiraj commented on RANGER-3617:
------------------------------------------

master branch:
{noformat}
commit 9a2c732d6584802d30e7e847a1e6b8c4050e5652 (HEAD -> master, origin/master, origin/HEAD)
Author: Madhan Neethiraj <ma...@apache.org>
Date:   Thu Feb 10 15:23:09 2022 -0800

    RANGER-3617: incorrect deny for _any access due to tag policy
{noformat}


 
ranger-2.3 branch:
 {noformat}
commit 70c614b1ab936e3f8d17d749b7ea78be499e58e4 (HEAD -> ranger-2.3, origin/ranger-2.3)
Author: Madhan Neethiraj <ma...@apache.org>
Date:   Thu Feb 10 15:23:09 2022 -0800

    RANGER-3617: incorrect deny for _any access due to tag policy

    (cherry picked from commit 9a2c732d6584802d30e7e847a1e6b8c4050e5652)
{noformat}

> incorrect deny for _any access due to tag policy
> ------------------------------------------------
>
>                 Key: RANGER-3617
>                 URL: https://issues.apache.org/jira/browse/RANGER-3617
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.1.0, 2.2.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>            Priority: Major
>             Fix For: 3.0.0, 2.3.0
>
>         Attachments: RANGER-3617.patch
>
>
> API to check if user has any access within a resource returns deny when a tag-based policy denies access to a child resource, even though another policy allows access to a different child resource. More details to reproduce the issue below:
>  # Policy on tag={{{}RESTRICTED{}}} denies {{select}} access to user2
>  # A resource-based policy allows {{select}} access to user2 on {{database=\*, table=\*, column=\*}}
>  # Column {{finance.tax_2016.name}} is tagged with {{RESTRICTED}}
>  # user2 is denied {{select}} on this column by above tag-based policy – this is as expected
>  # user2 is denied {{_any}} on {{finance}} database (like "use finance;") by above tag-based policy – which is incorrect
> Expected: access should have been allowed by above resource-based policy
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)