Hello, I am writing a Ranger plugin for my service and I am having trouble with two things.
1. Policy match on SELF (No Descendant or Ancestor) The resources in our service have hierarchy just like many other services out there. To achieve this we have defined the hierarchy in the service definition JSON. Now when we create a RangerAccessRequest for enforcement and set the MatchType to SELF enforcement call is also successful if the user has privilege on the ancestor of the entity. We don't want this to happen. We want to have a complete match. We look into providing our own PolicyEvaluator but it seems like the policy evaluator is not customizable. How can we achieve this using Ranger? 2. Ability to grant privileges on parent level only As mentioned in the previous question our resources have a hierarchy. For example: Level1Resource1 -> Leve2Resource1 -> Level3Resource1 Level1Resource1 -> Leve2Resource1 -> Level3Resource2 Level1Resource1 -> Leve2Resource2 -> Level3Resource1 We have defined this hierarchy in the service definition now we want to grant privilege just on Leve2Resource1. For example, we want to give someone READ on this resource. The Ranger UI does not allow me to do this. I am not able to grant just on Leve2Resource1. The UI ask me to fill in the Level3 resources too. If I mark the Level3 resources as non-mandatory then while adding the privilege I get an error from the backend. How can I grant privileges to such resources? Thanks.
