You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by rohit sinha <ta...@gmail.com> on 2017/08/24 19:29:01 UTC
Ranger Policy granting and matching issue
Hello,
I am writing a Ranger plugin for my service and I am having trouble with
two things.
1. Policy match on SELF (No Descendant or Ancestor)
The resources in our service have hierarchy just like many other services
out there. To achieve this we have defined the hierarchy in the service
definition JSON.
Now when we create a RangerAccessRequest for enforcement and set the
MatchType to SELF enforcement call is also successful if the user has
privilege on the ancestor of the entity. We don't want this to happen. We
want to have a complete match.
We look into providing our own PolicyEvaluator but it seems like the policy
evaluator is not customizable.
How can we achieve this using Ranger?
2. Ability to grant privileges on parent level only
As mentioned in the previous question our resources have a hierarchy. For
example:
Level1Resource1 -> Leve2Resource1 -> Level3Resource1
Level1Resource1 -> Leve2Resource1 -> Level3Resource2
Level1Resource1 -> Leve2Resource2 -> Level3Resource1
We have defined this hierarchy in the service definition now we want to
grant privilege just on Leve2Resource1. For example, we want to give
someone READ on this resource. The Ranger UI does not allow me to do this.
I am not able to grant just on Leve2Resource1. The UI ask me to fill in the
Level3 resources too. If I mark the Level3 resources as non-mandatory then
while adding the privilege I get an error from the backend.
How can I grant privileges to such resources?
Thanks.
Re: Ranger Policy granting and matching issue
Posted by rohit sinha <ta...@gmail.com>.
Hello Madhan,
Thanks for your reply. I will go ahead and file a jira.
This answers my questions about not being able to grant privilege to middle
level resources.
Although how about grants on self (complete resource) rather than
ancestors? Even though I explicitly set the match scope to self in my
accesss request the match happen to ancestor too. How can i avoid this ?
Thanks.
On Thu, Aug 24, 2017 at 11:05 PM Madhan Neethiraj <ma...@apache.org> wrote:
> Rohit,
>
> Currently, Ranger requires an entire resource-hierarchy to be specified in
> a policy. It doesn’t allow policies that stop at a higher-level resource in
> a hierarchy. This is one of the often-asked enhancements to Ranger policy
> model. Can you please file a JIRA with details of your
> use-cases/requirements?
>
> Abhay is looking into an enhancement to restrict access-types based on the
> resource (for example create/drop access-types are applicable only at
> database/table level, but not at column level). This enhancement might
> address your use-case as well. He would be able to add more details.
>
> Thanks,
> Madhan
>
>
>
>
> On 8/24/17, 4:01 PM, "rohit sinha" <ta...@gmail.com> wrote:
>
> Any help with this ?
>
> Thanks.
>
> On Thu, Aug 24, 2017 at 12:29 PM rohit sinha <ta...@gmail.com>
> wrote:
>
> > Hello,
> >
> > I am writing a Ranger plugin for my service and I am having trouble
> with
> > two things.
> >
> > 1. Policy match on SELF (No Descendant or Ancestor)
> > The resources in our service have hierarchy just like many other
> services
> > out there. To achieve this we have defined the hierarchy in the
> service
> > definition JSON.
> > Now when we create a RangerAccessRequest for enforcement and set the
> > MatchType to SELF enforcement call is also successful if the user has
> > privilege on the ancestor of the entity. We don't want this to
> happen. We
> > want to have a complete match.
> > We look into providing our own PolicyEvaluator but it seems like the
> > policy evaluator is not customizable.
> > How can we achieve this using Ranger?
> >
> > 2. Ability to grant privileges on parent level only
> > As mentioned in the previous question our resources have a
> hierarchy. For
> > example:
> >
> > Level1Resource1 -> Leve2Resource1 -> Level3Resource1
> > Level1Resource1 -> Leve2Resource1 -> Level3Resource2
> > Level1Resource1 -> Leve2Resource2 -> Level3Resource1
> >
> > We have defined this hierarchy in the service definition now we want
> to
> > grant privilege just on Leve2Resource1. For example, we want to give
> > someone READ on this resource. The Ranger UI does not allow me to do
> this.
> > I am not able to grant just on Leve2Resource1. The UI ask me to fill
> in the
> > Level3 resources too. If I mark the Level3 resources as
> non-mandatory then
> > while adding the privilege I get an error from the backend.
> > How can I grant privileges to such resources?
> >
> > Thanks.
> >
> --
> Thanks,
> Rohit Sinha
>
>
>
> --
Thanks,
Rohit Sinha
Re: Ranger Policy granting and matching issue
Posted by Madhan Neethiraj <ma...@apache.org>.
Rohit,
Currently, Ranger requires an entire resource-hierarchy to be specified in a policy. It doesn’t allow policies that stop at a higher-level resource in a hierarchy. This is one of the often-asked enhancements to Ranger policy model. Can you please file a JIRA with details of your use-cases/requirements?
Abhay is looking into an enhancement to restrict access-types based on the resource (for example create/drop access-types are applicable only at database/table level, but not at column level). This enhancement might address your use-case as well. He would be able to add more details.
Thanks,
Madhan
On 8/24/17, 4:01 PM, "rohit sinha" <ta...@gmail.com> wrote:
Any help with this ?
Thanks.
On Thu, Aug 24, 2017 at 12:29 PM rohit sinha <ta...@gmail.com>
wrote:
> Hello,
>
> I am writing a Ranger plugin for my service and I am having trouble with
> two things.
>
> 1. Policy match on SELF (No Descendant or Ancestor)
> The resources in our service have hierarchy just like many other services
> out there. To achieve this we have defined the hierarchy in the service
> definition JSON.
> Now when we create a RangerAccessRequest for enforcement and set the
> MatchType to SELF enforcement call is also successful if the user has
> privilege on the ancestor of the entity. We don't want this to happen. We
> want to have a complete match.
> We look into providing our own PolicyEvaluator but it seems like the
> policy evaluator is not customizable.
> How can we achieve this using Ranger?
>
> 2. Ability to grant privileges on parent level only
> As mentioned in the previous question our resources have a hierarchy. For
> example:
>
> Level1Resource1 -> Leve2Resource1 -> Level3Resource1
> Level1Resource1 -> Leve2Resource1 -> Level3Resource2
> Level1Resource1 -> Leve2Resource2 -> Level3Resource1
>
> We have defined this hierarchy in the service definition now we want to
> grant privilege just on Leve2Resource1. For example, we want to give
> someone READ on this resource. The Ranger UI does not allow me to do this.
> I am not able to grant just on Leve2Resource1. The UI ask me to fill in the
> Level3 resources too. If I mark the Level3 resources as non-mandatory then
> while adding the privilege I get an error from the backend.
> How can I grant privileges to such resources?
>
> Thanks.
>
--
Thanks,
Rohit Sinha
Re: Ranger Policy granting and matching issue
Posted by rohit sinha <ta...@gmail.com>.
Any help with this ?
Thanks.
On Thu, Aug 24, 2017 at 12:29 PM rohit sinha <ta...@gmail.com>
wrote:
> Hello,
>
> I am writing a Ranger plugin for my service and I am having trouble with
> two things.
>
> 1. Policy match on SELF (No Descendant or Ancestor)
> The resources in our service have hierarchy just like many other services
> out there. To achieve this we have defined the hierarchy in the service
> definition JSON.
> Now when we create a RangerAccessRequest for enforcement and set the
> MatchType to SELF enforcement call is also successful if the user has
> privilege on the ancestor of the entity. We don't want this to happen. We
> want to have a complete match.
> We look into providing our own PolicyEvaluator but it seems like the
> policy evaluator is not customizable.
> How can we achieve this using Ranger?
>
> 2. Ability to grant privileges on parent level only
> As mentioned in the previous question our resources have a hierarchy. For
> example:
>
> Level1Resource1 -> Leve2Resource1 -> Level3Resource1
> Level1Resource1 -> Leve2Resource1 -> Level3Resource2
> Level1Resource1 -> Leve2Resource2 -> Level3Resource1
>
> We have defined this hierarchy in the service definition now we want to
> grant privilege just on Leve2Resource1. For example, we want to give
> someone READ on this resource. The Ranger UI does not allow me to do this.
> I am not able to grant just on Leve2Resource1. The UI ask me to fill in the
> Level3 resources too. If I mark the Level3 resources as non-mandatory then
> while adding the privilege I get an error from the backend.
> How can I grant privileges to such resources?
>
> Thanks.
>
--
Thanks,
Rohit Sinha