[jira] [Comment Edited] (RANGER-4165) Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

Thu, 25 May 2023 08:34:10 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723252#comment-17723252
 ] 

Ramesh Mani edited comment on RANGER-4165 at 5/25/23 3:31 PM:
--------------------------------------------------------------

Attached reworked Patch from [~madhan] 

[https://reviews.apache.org/r/74454/diff/3#0]

 

[~abhayk]  Please review this patch. Thanks.

 


was (Author: rmani):
Attached reworked Patch from [~madhan] 

[https://reviews.apache.org/r/74441/]

[~abhayk]  Please review this patch. Thanks.

 

>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> -----------------------------------------------------------------------
>
>                 Key: RANGER-4165
>                 URL: https://issues.apache.org/jira/browse/RANGER-4165
>             Project: Ranger
>          Issue Type: Improvement
>          Components: Ranger
>    Affects Versions: 3.0.0
>            Reporter: Ramesh Mani
>            Assignee: Madhan Neethiraj
>            Priority: Major
>
>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
>  * introduced resource-element matching scope SELF_OR_PREFIX, which can be 
> used to ask Ranger policy engine the following -- check if a user/group/role 
> has read access in any path/file under directory /dept/hr/ -- check if a 
> user/group/role has select access to any table having name that starts with 
> emp_ under database name hr
>  * moved SELF_OR_CHILD from enum resource-matching-scope to enum 
> resource-element-matching-scope
> This is need to create an api which can find whether a user/group is 
> authorized to the given operation on any resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> [https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to