You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Alok Lal (JIRA)" <ji...@apache.org> on 2015/08/20 22:46:46 UTC

[jira] [Commented] (RANGER-613) Policy permissions on Ranger Admin web

    [ https://issues.apache.org/jira/browse/RANGER-613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14705724#comment-14705724 ] 

Alok Lal commented on RANGER-613:
---------------------------------

[~robinlin] A Ranger user with a User role can see any policies for resources that she has admin privilege over.  Note that recursive flag would matter.  Consider following examples:

- Given the following policies, if user1 logs into ranger then he would see both policies since p1 gives user1 admin access over / or anything under it.
|| policy id || Resource || User || Recursive || Permissions ||
| p1 | / | user1 | true | Read, Admin |
| p2 | /apps | user2 | false | Read |
- Given the following policies, if user1 logs into ranger then he would see only p1 since while he has access to / since p1 is not recursive he does not have access to resource of p2
|| policy id || Resource || User || Recursive || Permissions ||
| p1 | / | user1 | false | Read, Admin |
| p2 | /apps | user2 | false | Read |
- Given the following policies, if user1 logs into ranger then he would see only p1 since he does not have admin privilege to p2's resource.
|| policy id || Resource || User || Recursive || Permissions ||
| p1 | /apps | user1 | false | Read, Admin |
| p2 | /app-logs | user2 | false | Read, Admin |


> Policy permissions on Ranger Admin web
> --------------------------------------
>
>                 Key: RANGER-613
>                 URL: https://issues.apache.org/jira/browse/RANGER-613
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: 0.4.0
>            Reporter: robinlin
>            Priority: Critical
>
> Hi 
> I got some problems with the "Admin" setting in the Ranger policy edit page.
> Take the HDFS and Hive policy edit for example.
> 1) I create an user in Ranger say "robin" as a normal user and join to group "hadoop".
> 2) Set an HDFS policy without any Robin's permission
> !http://i.imgur.com/fwMrazX.png!
> 3) Set an Hive policy without any Robin's permission
> !http://i.imgur.com/qlFDQs8.png!
> 4) Login as Robin.
> 5) The HDFS policy list, I can see the policy, on which the user Robin doesn't have any permission. This is odd.
> !http://i.imgur.com/BZuIXq1.png!
> 6) The Hive policy list, I can only see the policy, on which the user is granted as "Admin". I am ok with that.
> !http://i.imgur.com/9JBx9ng.png!
> Is this a bug? or I misunderstand the meaning of "Admin" setting in policy edit page.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)