Madhan Neethiraj created RANGER-4445:
----------------------------------------
Summary: GDS APIs to manage policies
Key: RANGER-4445
URL: https://issues.apache.org/jira/browse/RANGER-4445
Project: Ranger
Issue Type: Sub-task
Components: Ranger
Reporter: Madhan Neethiraj
Assignee: Madhan Neethiraj
Datasets and projects in Ranger can be made accessible to users via policies.
These policies use the same data structure as regular access-control policies
of Ranger. However, instead of using existing policy management APIs,
dataset/project policies should be managed only via GDS APIs for the following
reasons:
# Users having admin/policy-admin privilege on the dataset/project should be
allowed to manage policies, which is different from other policies which
require the user to have wider admin privilege or delegated-admin privilege on
the resource.
# Policies for a dataset/project should be deleted when the dataset/project is
deleted.
# Rename of a dataset/project should not impact enforcement of GDS policies.
This might require GDS policies to refer to dataset/project via their IDs
instead of names. Having GDS specific policy APIs will make it easier to handle
this.
# It is critical that dataset/project policies don't support wildcards or
multiple resources. Supporting such will break the GDS UI that provides a
single place to view all grants for a given dataset/project. (though
wildcard/multiple-resources can be restricted via service-def, power users will
find a way to update the service-def to get around this restriction - which can
make GDS UI show incorrect grants).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
