You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Madhan Neethiraj (Jira)" <ji...@apache.org> on 2023/02/14 17:48:00 UTC
[jira] [Updated] (RANGER-4083) Tag-based policy UI to not show permissions in deny/exception for services that don't support deny/exception
[ https://issues.apache.org/jira/browse/RANGER-4083?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Madhan Neethiraj updated RANGER-4083:
-------------------------------------
Description:
Ranger provides service-def option enableDenyAndExceptionsInPolicies to support services where explicit deny and expception are not feasible - for example services like Elasticsearch, Kylin, Nifi-Registry, Nifi, Sqoop. For such services, policy UI shows only allow policy items in resource-based policies. However, tag-based policies are common across all service-types, hence deny and exception policy-items are shown in policy UI. This allows users to setup tag-based policies to deny access to users/group/roles - even though they may not work for above services.
To eliminate confusion, tag-based policy UI should not show permissions in deny and expception policy-items for service-types that don’t support deny and exceptions i.e., service-defs having options.enableDenyAndExceptionsInPolicies=false.
CC: [~nitin.galave], [~Dhaval.Rajpara]
was:
Ranger provides service-def option enableDenyAndExceptionsInPolicies to support services where explicit deny and expception are not feasible - for example services like Elasticsearch, Kylin, Nifi-Registry, Nifi, Sqoop. For such services, policy UI shows only allow policy items in resource-based policies. However, tag-based policies are common across all service-types, hence deny and exception policy-items are shown in policy UI. This allows users to setup tag-based policies to deny access to users/group/roles - even though they may not work for policy-sync connectors.
To eliminate confusion, tag-based policy UI should not show permissions in deny and expception policy-items for service-types that don’t support deny and exceptions i.e., service-defs having options.enableDenyAndExceptionsInPolicies=false.
CC: [~nitin.galave], [~Dhaval.Rajpara]
> Tag-based policy UI to not show permissions in deny/exception for services that don't support deny/exception
> ------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-4083
> URL: https://issues.apache.org/jira/browse/RANGER-4083
> Project: Ranger
> Issue Type: Improvement
> Components: admin
> Reporter: Madhan Neethiraj
> Priority: Major
>
> Ranger provides service-def option enableDenyAndExceptionsInPolicies to support services where explicit deny and expception are not feasible - for example services like Elasticsearch, Kylin, Nifi-Registry, Nifi, Sqoop. For such services, policy UI shows only allow policy items in resource-based policies. However, tag-based policies are common across all service-types, hence deny and exception policy-items are shown in policy UI. This allows users to setup tag-based policies to deny access to users/group/roles - even though they may not work for above services.
> To eliminate confusion, tag-based policy UI should not show permissions in deny and expception policy-items for service-types that don’t support deny and exceptions i.e., service-defs having options.enableDenyAndExceptionsInPolicies=false.
> CC: [~nitin.galave], [~Dhaval.Rajpara]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)