You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Abhay Kulkarni (JIRA)" <ji...@apache.org> on 2018/04/11 21:54:00 UTC
[jira] [Updated] (RANGER-2066) Hbase column family access is
authorized by a tagged column in the column family
[ https://issues.apache.org/jira/browse/RANGER-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Abhay Kulkarni updated RANGER-2066:
-----------------------------------
Summary: Hbase column family access is authorized by a tagged column in the column family (was: Hbase column family access is authorized by a tagged column)
> Hbase column family access is authorized by a tagged column in the column family
> --------------------------------------------------------------------------------
>
> Key: RANGER-2066
> URL: https://issues.apache.org/jira/browse/RANGER-2066
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 1.0.0, master
> Reporter: Anuja Leekha
> Priority: Major
> Fix For: master, 1.1.0
>
>
> ERROR SCENARIO:
> Table emp has 2 col-families: personal_data(name,SSN,age) ; prof_data(role, manager)
> Column emp/prof_data/role is tagged with OFFICIAL tag.
> Create following policies:
> Resource policy allows Read on table=*, column-family=*,column=* and policy for tag OFFICIAL allows Read on OFFICIAL tag for a test_user.
> When test_user executes 'scan emp' command, two audit log records are created:
> 1. Resource: emp/personal_data
> Name / Type: column-family
> Allowed
> Policy allowing: Access based policy [Tag column shows PII]
> 2. Resource: emp/prof_data
> Name / Type: column-family
> Allowed
> Policy allowing: TAG based policy for OFFICIAL tag
> prof_data column-family should not be authorized by a tagged role column in it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)