[
https://issues.apache.org/jira/browse/RANGER-5563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18075266#comment-18075266
]
Madhan Neethiraj commented on RANGER-5563:
------------------------------------------
[~rmani] - the proposal is not to capture actions in Ranger service-def, hence
there is no expectation of mapping a permission to set of actions.
{{action-matches}} will be a condition available for any service-def. If a
policy-item has values specified for this condition, then the policy-item would
apply only if the action specified in the request
({{{}RangerAccessRequest.action{}}}) matches one of the values given in the
policy item. Here is a sample policy that allows only {{CREATE_TABLE}} action,
but not other actions like {{{}CREATE_VIEW{}}}:
{noformat}
{
"name": "database: sales",
"resources": { "database": { "values": [ "sales" ] }, "table": { "values": [
"*" ] } },
"policyItems": [
{ "users": [ "john" ], "accesses": [ { "type": "create" } ], "conditions":
[ { "type": "action-matches", "values": [ "CREATE_TABLE" ] } ] }
]
}{noformat}
Hope this helps.
> support restricting grants based on actions, in addition to permissions
> -----------------------------------------------------------------------
>
> Key: RANGER-5563
> URL: https://issues.apache.org/jira/browse/RANGER-5563
> Project: Ranger
> Issue Type: New Feature
> Components: admin, plugins
> Reporter: Madhan Neethiraj
> Priority: Major
>
> Ranger policies support granting permissions on resources like
> read/write/select/insert/list/create/drop. Actions performed in a service,
> like mkdir or delete, are mapped to one of the permissions by the host
> service. Some services have fewer permissions but larger number of actions
> that can be performed. For example, HDFS service supports following
> permissions:
> * read
> * write
> * execute
> However, list of actions that can be performed are a lot more:
> * mkdirs
> * open
> * WRITE
> * delete
> * rename
> * setOwner
> * listStatus
> * listEncryptionZones
> * ..
> Enhancing Ranger polcies to restrict actions that can be performed will help
> setup finer control on accesses that can be granted. For the example given
> above, a user having {{write}} permission can perform following actions:
> {{{}mkdir{}}}, {{{}WRITE{}}}, {{{}delete{}}}, {{{}rename{}}},
> {{{}setOwner{}}}. This can be enhanced to authorize only {{WRITE}} action
> (and not {{{}mkdirs{}}}, {{{}delete{}}}, {{{}rename{}}}).
>
> Here are more details on this enhancement request:
> # Permission asked by the host service must exists for the user before
> enforcing restrictions on {{action}} i.e. only having grant for the action is
> not enough to authorize the access. Consider a policy granting {{read}}
> permission with action as {{{}mkdir{}}}. This policy doesn't allow the user
> to perform {{mkdir}} action, as the user doesn't have necessary permission,
> {{{}write{}}}, in the first place.
> # Actions should be supported in deny as well, enabling explicit denial of
> specific actions.
> # When no action is specified in a policy item, no restrictions on actions
> will be enforced i.e. all actions will be allowed.
> # It should be possible to grant access to multiple actions using wildcard
> at the end - like {{{}list*{}}}, {{{}get*{}}}.
> # This should be supported in {{RangerInlinePolicy}} as well.
> This can be implemented with a custom condition named {{action-matches}},
> similar to existing condition implementations like {{{}RangerIpMatcher{}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
