Any help with this ? Thanks.
On Thu, Aug 24, 2017 at 12:29 PM rohit sinha <[email protected]> wrote: > Hello, > > I am writing a Ranger plugin for my service and I am having trouble with > two things. > > 1. Policy match on SELF (No Descendant or Ancestor) > The resources in our service have hierarchy just like many other services > out there. To achieve this we have defined the hierarchy in the service > definition JSON. > Now when we create a RangerAccessRequest for enforcement and set the > MatchType to SELF enforcement call is also successful if the user has > privilege on the ancestor of the entity. We don't want this to happen. We > want to have a complete match. > We look into providing our own PolicyEvaluator but it seems like the > policy evaluator is not customizable. > How can we achieve this using Ranger? > > 2. Ability to grant privileges on parent level only > As mentioned in the previous question our resources have a hierarchy. For > example: > > Level1Resource1 -> Leve2Resource1 -> Level3Resource1 > Level1Resource1 -> Leve2Resource1 -> Level3Resource2 > Level1Resource1 -> Leve2Resource2 -> Level3Resource1 > > We have defined this hierarchy in the service definition now we want to > grant privilege just on Leve2Resource1. For example, we want to give > someone READ on this resource. The Ranger UI does not allow me to do this. > I am not able to grant just on Leve2Resource1. The UI ask me to fill in the > Level3 resources too. If I mark the Level3 resources as non-mandatory then > while adding the privilege I get an error from the backend. > How can I grant privileges to such resources? > > Thanks. > -- Thanks, Rohit Sinha
