[jira] [Commented] (RANGER-4472) getResourceACL() API updates

Mon, 16 Oct 2023 16:25:16 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-4472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17775950#comment-17775950
 ] 

Madhan Neethiraj commented on RANGER-4472:
------------------------------------------

{noformat}
commit 1725cdbb5435586452b163d6e762b6a30ba7b9d3 (HEAD -> master, origin/master, 
origin/HEAD)
Author: Madhan Neethiraj <mad...@apache.org>
Date:   Fri Oct 13 17:17:27 2023 -0700

    RANGER-4472: getResourceACLs() handling of tags associated with resource 
and its desencent - #2
{noformat}

> getResourceACL() API updates
> ----------------------------
>
>                 Key: RANGER-4472
>                 URL: https://issues.apache.org/jira/browse/RANGER-4472
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>            Priority: Major
>             Fix For: 3.0.0
>
>         Attachments: RANGER-4472.patch
>
>
> RangerPolicyEngineImpl.getResourceACL() needs to be updated to address 
> following issues:
> 1. the API should evaluate only policies that are relevant to the resource. 
> For example:
>  * masking and row-filter policies are not applicable for a database resource
>  * masking policies are not applicable for a table resource
>  * row-filter policies are not applicable for a column resource
> 2. When a tag is found on SELF and DESCENDANT (see example below), SELF 
> should be considered as the matchType. Currently policy engine might consider 
> DESCENDANT as the matchType resulting in relevant policies to be not 
> evaluated.
>  * table db1.tbl1 has tag SENSITIVE
>  * column db1.tbl1.col1 has tag SENSITIVE
>  * getResourceACLs(db1.tbl1) will find following 2 tags
>  ** SENSITIVE, with matchType=SELF
>  ** SENSITIVE, with matchType=DESCENDANT
>  * Both tags will use the same tag-based policy, since their name is same.
>  * 
> getResourceACLEvaluatorsForZone() can end up using DESCENDANT as it collects 
> the matchType for a given policy. This will subsequently result in the policy 
> to be not evaluated since DESCENDANT wouldn't match the matchScope specified 
> in the request



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to