[
https://issues.apache.org/jira/browse/RANGER-5563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18075248#comment-18075248
]
Ramesh Mani commented on RANGER-5563:
-------------------------------------
[~madhan] Thanks for this proposal. One question I had was how and where are we
going to restrict say permission "write" can do only {{{}mkdir{}}},
{{{}WRITE{}}}, {{{}delete{}}}, {{{}rename{}}}, {{{}setOwner{}}} and not others.
Is it part of serviceDef as implied grants?
> support restricting grants based on actions, in addition to permissions
> -----------------------------------------------------------------------
>
> Key: RANGER-5563
> URL: https://issues.apache.org/jira/browse/RANGER-5563
> Project: Ranger
> Issue Type: New Feature
> Components: admin, plugins
> Reporter: Madhan Neethiraj
> Priority: Major
>
> Ranger policies support granting permissions on resources like
> read/write/select/insert/list/create/drop. Actions performed in a service,
> like mkdir or delete, are mapped to one of the permissions by the host
> service. Some services have fewer permissions but larger number of actions
> that can be performed. For example, HDFS service supports following
> permissions:
> * read
> * write
> * execute
> However, list of actions that can be performed are a lot more:
> * mkdirs
> * open
> * WRITE
> * delete
> * rename
> * setOwner
> * listStatus
> * listEncryptionZones
> * ..
> Enhancing Ranger polcies to restrict actions that can be performed will help
> setup finer control on accesses that can be granted. For the example given
> above, a user having {{write}} permission can perform following actions:
> {{{}mkdir{}}}, {{{}WRITE{}}}, {{{}delete{}}}, {{{}rename{}}},
> {{{}setOwner{}}}. This can be enhanced to authorize only {{WRITE}} action
> (and not {{{}mkdirs{}}}, {{{}delete{}}}, {{{}rename{}}}).
>
> Here are more details on this enhancement request:
> # Permission asked by the host service must exists for the user before
> enforcing restrictions on {{action}} i.e. only having grant for the action is
> not enough to authorize the access. Consider a policy granting {{read}}
> permission with action as {{{}mkdir{}}}. This policy doesn't allow the user
> to perform {{mkdir}} action, as the user doesn't have necessary permission,
> {{{}write{}}}, in the first place.
> # Actions should be supported in deny as well, enabling explicit denial of
> specific actions.
> # When no action is specified in a policy item, no restrictions on actions
> will be enforced i.e. all actions will be allowed.
> # It should be possible to grant access to multiple actions using wildcard
> at the end - like {{{}list*{}}}, {{{}get*{}}}.
> # This should be supported in {{RangerInlinePolicy}} as well.
> This can be implemented with a custom condition named {{{}actions{}}},
> similar to existing condition implementations like {{{}RangerIpMatcher{}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
