You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Madhan Neethiraj (Jira)" <ji...@apache.org> on 2021/11/27 21:01:00 UTC

[jira] [Created] (RANGER-3526) policy evaluation ordering to use name as secondary sorting key

Madhan Neethiraj created RANGER-3526:
----------------------------------------

             Summary: policy evaluation ordering to use name as secondary sorting key
                 Key: RANGER-3526
                 URL: https://issues.apache.org/jira/browse/RANGER-3526
             Project: Ranger
          Issue Type: Improvement
          Components: plugins
            Reporter: Madhan Neethiraj
            Assignee: Madhan Neethiraj


Policy engine evaluates policies in the following order: priority, has-deny, has-no-deny. When multiple policies have same priority/has-deny/has-no-deny, the ordering is not deterministic. This doesn't impact the result for access policies - as all denies will be evaluated before allows. However, the result for masking/row-filter can vary when multiple policies exists for a given resource, and these policies define different mask/filter for a given user/group/role.

 

Given name of a policy is unique within a service, using policy name as the secondary sorting key will result in deterministic evaluation order.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)