[
https://issues.apache.org/jira/browse/RANGER-5563?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-5563:
-------------------------------------
Description:
Ranger policies support granting permissions on resources like
read/write/select/insert/list/create/drop. Actions performed in a service, like
mkdir or delete, are mapped to one of the permissions by the host service. Some
services have fewer permissions but larger number of actions that can be
performed. For example, HDFS service supports following permissions:
* read
* write
* execute
However, list of actions that can be performed are a lot more:
* mkdirs
* open
* WRITE
* delete
* rename
* setOwner
* listStatus
* listEncryptionZones
* ..
Enhancing Ranger polcies to restrict actions that can be performed will help
setup finer control on accesses that can be granted. For the example given
above, a user having {{write}} permission can perform following actions:
{{{}mkdir{}}}, {{{}WRITE{}}}, {{{}delete{}}}, {{{}rename{}}}, {{{}setOwner{}}}.
This can be enhanced to authorize only {{WRITE}} action (and not
{{{}mkdirs{}}}, {{{}delete{}}}, {{{}rename{}}}).
Here are more details on this enhancement request:
# Permission asked by the host service must exists for the user before
enforcing restrictions on {{action}} i.e. only having grant for the action is
not enough to authorize the access. Consider a policy granting {{read}}
permission with action as {{{}mkdir{}}}. This policy doesn't allow the user to
perform {{mkdir}} action, as the user doesn't have necessary permission,
{{{}write{}}}, in the first place.
# Actions should be supported in deny as well, enabling explicit denial of
specific actions.
# When no action is specified in a policy item, no restrictions on actions
will be enforced i.e. all actions will be allowed.
# It should be possible to grant access to multiple actions using wildcard at
the end - like {{{}list*{}}}, {{{}get*{}}}.
# This should be supported in {{RangerInlinePolicy}} as well.
This can be implemented with a custom condition named {{action-matches}},
similar to existing condition implementations like {{{}RangerIpMatcher{}}}.
was:
Ranger policies support granting permissions on resources like
read/write/select/insert/list/create/drop. Actions performed in a service, like
mkdir or delete, are mapped to one of the permissions by the host service. Some
services have fewer permissions but larger number of actions that can be
performed. For example, HDFS service supports following permissions:
* read
* write
* execute
However, list of actions that can be performed are a lot more:
* mkdirs
* open
* WRITE
* delete
* rename
* setOwner
* listStatus
* listEncryptionZones
* ..
Enhancing Ranger polcies to restrict actions that can be performed will help
setup finer control on accesses that can be granted. For the example given
above, a user having {{write}} permission can perform following actions:
{{{}mkdir{}}}, {{{}WRITE{}}}, {{{}delete{}}}, {{{}rename{}}}, {{{}setOwner{}}}.
This can be enhanced to authorize only {{WRITE}} action (and not
{{{}mkdirs{}}}, {{{}delete{}}}, {{{}rename{}}}).
Here are more details on this enhancement request:
# Permission asked by the host service must exists for the user before
enforcing restrictions on {{action}} i.e. only having grant for the action is
not enough to authorize the access. Consider a policy granting {{read}}
permission with action as {{{}mkdir{}}}. This policy doesn't allow the user to
perform {{mkdir}} action, as the user doesn't have necessary permission,
{{{}write{}}}, in the first place.
# Actions should be supported in deny as well, enabling explicit denial of
specific actions.
# When no action is specified in a policy item, no restrictions on actions
will be enforced i.e. all actions will be allowed.
# It should be possible to grant access to multiple actions using wildcard at
the end - like {{{}list*{}}}, {{{}get*{}}}.
# This should be supported in {{RangerInlinePolicy}} as well.
This can be implemented with a custom condition named {{{}actions{}}}, similar
to existing condition implementations like {{{}RangerIpMatcher{}}}.
> support restricting grants based on actions, in addition to permissions
> -----------------------------------------------------------------------
>
> Key: RANGER-5563
> URL: https://issues.apache.org/jira/browse/RANGER-5563
> Project: Ranger
> Issue Type: New Feature
> Components: admin, plugins
> Reporter: Madhan Neethiraj
> Priority: Major
>
> Ranger policies support granting permissions on resources like
> read/write/select/insert/list/create/drop. Actions performed in a service,
> like mkdir or delete, are mapped to one of the permissions by the host
> service. Some services have fewer permissions but larger number of actions
> that can be performed. For example, HDFS service supports following
> permissions:
> * read
> * write
> * execute
> However, list of actions that can be performed are a lot more:
> * mkdirs
> * open
> * WRITE
> * delete
> * rename
> * setOwner
> * listStatus
> * listEncryptionZones
> * ..
> Enhancing Ranger polcies to restrict actions that can be performed will help
> setup finer control on accesses that can be granted. For the example given
> above, a user having {{write}} permission can perform following actions:
> {{{}mkdir{}}}, {{{}WRITE{}}}, {{{}delete{}}}, {{{}rename{}}},
> {{{}setOwner{}}}. This can be enhanced to authorize only {{WRITE}} action
> (and not {{{}mkdirs{}}}, {{{}delete{}}}, {{{}rename{}}}).
>
> Here are more details on this enhancement request:
> # Permission asked by the host service must exists for the user before
> enforcing restrictions on {{action}} i.e. only having grant for the action is
> not enough to authorize the access. Consider a policy granting {{read}}
> permission with action as {{{}mkdir{}}}. This policy doesn't allow the user
> to perform {{mkdir}} action, as the user doesn't have necessary permission,
> {{{}write{}}}, in the first place.
> # Actions should be supported in deny as well, enabling explicit denial of
> specific actions.
> # When no action is specified in a policy item, no restrictions on actions
> will be enforced i.e. all actions will be allowed.
> # It should be possible to grant access to multiple actions using wildcard
> at the end - like {{{}list*{}}}, {{{}get*{}}}.
> # This should be supported in {{RangerInlinePolicy}} as well.
> This can be implemented with a custom condition named {{action-matches}},
> similar to existing condition implementations like {{{}RangerIpMatcher{}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
