You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Madhan Neethiraj (Jira)" <ji...@apache.org> on 2021/11/27 21:01:00 UTC
[jira] [Created] (RANGER-3526) policy evaluation ordering to use name as secondary sorting key
Madhan Neethiraj created RANGER-3526:
----------------------------------------
Summary: policy evaluation ordering to use name as secondary sorting key
Key: RANGER-3526
URL: https://issues.apache.org/jira/browse/RANGER-3526
Project: Ranger
Issue Type: Improvement
Components: plugins
Reporter: Madhan Neethiraj
Assignee: Madhan Neethiraj
Policy engine evaluates policies in the following order: priority, has-deny, has-no-deny. When multiple policies have same priority/has-deny/has-no-deny, the ordering is not deterministic. This doesn't impact the result for access policies - as all denies will be evaluated before allows. However, the result for masking/row-filter can vary when multiple policies exists for a given resource, and these policies define different mask/filter for a given user/group/role.
Given name of a policy is unique within a service, using policy name as the secondary sorting key will result in deterministic evaluation order.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)