You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Pradeep Agrawal (Jira)" <ji...@apache.org> on 2021/12/16 06:21:00 UTC
[jira] [Commented] (RANGER-3526) policy evaluation ordering to use name as secondary sorting key
[ https://issues.apache.org/jira/browse/RANGER-3526?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460434#comment-17460434 ]
Pradeep Agrawal commented on RANGER-3526:
-----------------------------------------
Commit link part-1 : [https://github.com/apache/ranger/commit/a6583cffdf5813773721f7ae1e02e632de886558]
Commit link part-2 : [https://github.com/apache/ranger/commit/fe97016e147295aef5aa9041744452bb647cc724]
Please close RR :
[https://reviews.apache.org/r/73729/]
https://reviews.apache.org/r/73732/
> policy evaluation ordering to use name as secondary sorting key
> ---------------------------------------------------------------
>
> Key: RANGER-3526
> URL: https://issues.apache.org/jira/browse/RANGER-3526
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
> Fix For: 3.0.0, 2.3.0
>
> Attachments: RANGER-3526.patch
>
>
> Policy engine evaluates policies in the following order: priority, has-deny, has-no-deny. When multiple policies have same priority/has-deny/has-no-deny, the ordering is not deterministic. This doesn't impact the result for access policies - as all denies will be evaluated before allows. However, the result for masking/row-filter can vary when multiple policies exists for a given resource, and these policies define different mask/filter for a given user/group/role.
>
> Given name of a policy is unique within a service, using policy name as the secondary sorting key will result in deterministic evaluation order.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)