You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@atlas.apache.org by "Alberto Romero (JIRA)" <ji...@apache.org> on 2018/07/09 13:27:00 UTC
[jira] [Updated] (ATLAS-2784) Wildcards not supported for
authorization granularity in Ranger policies
[ https://issues.apache.org/jira/browse/ATLAS-2784?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alberto Romero updated ATLAS-2784:
----------------------------------
Description:
Creating Ranger policies for Atlas resources (such as entities, types, terms, taxonomies) does not allow for actual multitenancy or segregation of permissions due to policies ignoring wildcards (*). For example, cannot define a policy for type "user_*" to allow users or groups of users to create, read or update only types that start with the string "user_".
The problem is that Atlas throws a 403 error "You are not authorized for READ on [ENTITY] : * *"* even when trying to read a specific entity that would match the pattern that contains the wildcard. In the UI is exactly the same. The expected behaviour would be for the user to only be able to see entities, terms, etc that match the pattern but the fact is that it complains about not having being able to READ on [ENTITY] : *. The *** in error is the clue there, it is actually expecting access to everything.
It is only when we add the users to a policy that gives them access to '*' that it works for them.
was:
Creating Ranger policies for Atlas resources (such as entities, types, terms, taxonomies) does not allow for actual multitenancy or segregation of permissions due to policies ignoring wildcards (*). For example, cannot define a policy for type "user_*" to allow users or groups of users to create, read or update only types that start with the string "user_".
The problem is that Atlas throws a 403 error "You are not authorized for READ on [ENTITY] : *" even when trying to read a specific entity that would match the pattern that contains the wildcard. In the UI is exactly the same. The expected behaviour would be for the user to only be able to see entities, terms, etc that match the pattern but the fact is that it complains about not having being able to READ on [ENTITY] : *. The '*' in error is the clue there, it is actually expecting access to everything.
It is only when we add the users to a policy that gives them access to '*' that it works for them.
> Wildcards not supported for authorization granularity in Ranger policies
> ------------------------------------------------------------------------
>
> Key: ATLAS-2784
> URL: https://issues.apache.org/jira/browse/ATLAS-2784
> Project: Atlas
> Issue Type: Improvement
> Components: atlas-core
> Affects Versions: 0.8.2
> Reporter: Alberto Romero
> Priority: Major
>
> Creating Ranger policies for Atlas resources (such as entities, types, terms, taxonomies) does not allow for actual multitenancy or segregation of permissions due to policies ignoring wildcards (*). For example, cannot define a policy for type "user_*" to allow users or groups of users to create, read or update only types that start with the string "user_".
> The problem is that Atlas throws a 403 error "You are not authorized for READ on [ENTITY] : * *"* even when trying to read a specific entity that would match the pattern that contains the wildcard. In the UI is exactly the same. The expected behaviour would be for the user to only be able to see entities, terms, etc that match the pattern but the fact is that it complains about not having being able to READ on [ENTITY] : *. The *** in error is the clue there, it is actually expecting access to everything.
> It is only when we add the users to a policy that gives them access to '*' that it works for them.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)