You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Abhishek Shukla (Jira)" <ji...@apache.org> on 2021/07/08 10:44:00 UTC
[jira] [Created] (RANGER-3330) [Atlas classification authorization]
_CLASSIFIED classification not supported in atlas policies
Abhishek Shukla created RANGER-3330:
---------------------------------------
Summary: [Atlas classification authorization] _CLASSIFIED classification not supported in atlas policies
Key: RANGER-3330
URL: https://issues.apache.org/jira/browse/RANGER-3330
Project: Ranger
Issue Type: Bug
Components: plugins
Affects Versions: 2.2.0
Reporter: Abhishek Shukla
*Test Policies*:
{code:java}
{
"service": "cm_atlas",
"name": "test_atlas_with_classification_auth_policy_2",
"policyType": 0,
"policyPriority": 0,
"description": "test_atlas_with_classification_auth_policy_2",
"isAuditEnabled": true,
"resources": {
"entity-type": {
"values": [
"*"
],
"isExcludes": false,
"isRecursive": false
},
"entity-classification": {
"values": [
"_NOT_CLASSIFIED"
],
"isExcludes": false,
"isRecursive": false
},
"classification": {
"values": [
"PII"
],
"isExcludes": false,
"isRecursive": false
},
"entity": {
"values": [
"*"
],
"isExcludes": false,
"isRecursive": false
}
},
"policyItems": [
{
"accesses": [
{
"type": "entity-add-classification",
"isAllowed": true
},
{
"type": "entity-update-classification",
"isAllowed": true
},
{
"type": "entity-remove-classification",
"isAllowed": true
}
],
"users": [
"hrt_2"
],
"groups": [],
"roles": [],
"conditions": [],
"delegateAdmin": true
}
],
"denyPolicyItems": [],
"allowExceptions": [],
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
"serviceType": "atlas",
"options": {},
"validitySchedules": [],
"policyLabels": [],
"zoneName": "",
"isDenyAllElse": false,
"id": 37,
"guid": "3231a2cf-d819-48ec-a3e7-89e960499b85",
"isEnabled": true,
"version": 1
},
{
"service": "cm_atlas",
"name": "test_atlas_with_classification_auth_policy_3",
"policyType": 0,
"policyPriority": 0,
"description": "test_atlas_with_classification_auth_policy_3",
"isAuditEnabled": true,
"resources": {
"entity-type": {
"values": [
"*"
],
"isExcludes": false,
"isRecursive": false
},
"entity-classification": {
"values": [
"_CLASSIFIED"
],
"isExcludes": false,
"isRecursive": false
},
"classification": {
"values": [
"FINANCE"
],
"isExcludes": false,
"isRecursive": false
},
"entity": {
"values": [
"*"
],
"isExcludes": false,
"isRecursive": false
}
},
"policyItems": [
{
"accesses": [
{
"type": "entity-add-classification",
"isAllowed": true
},
{
"type": "entity-update-classification",
"isAllowed": true
},
{
"type": "entity-remove-classification",
"isAllowed": true
}
],
"users": [
"hrt_2"
],
"groups": [],
"roles": [],
"conditions": [],
"delegateAdmin": true
}
],
"denyPolicyItems": [],
"allowExceptions": [],
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
"serviceType": "atlas",
"options": {},
"validitySchedules": [],
"policyLabels": [],
"zoneName": "",
"isDenyAllElse": false,
"id": 37,
"guid": "3231a2cf-d819-48ec-a3e7-89e960499b85",
"isEnabled": true,
"version": 1
}
{code}
- User hrt_2 tries to add a PII tag to an entity that doesn't have any pre-existing tag associated with it, this operation is successful.
- Now it tries to add a FINANCE tag to the same entity and the expectation is that the tag should be allowed to be added but it's denied access from the atlas plugin.
Do we not support _CLASSIFIED keyword in the entity-classification resource?
Since _NOT_CLASSIFIED is supported and also shown in the dropdown in ranger admin UI while creating altas policy but same is not true for _CLASSIFIED
Creating this Jira for more discussion on this issue.
cc [~nixon]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)