[jira] [Commented] (RANGER-612) Update HDFS plugin to fallback to hadoop-acl only when there is no Ranger policy to determine the authorization

Thu, 13 Aug 2015 15:00:04 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14696021#comment-14696021
 ] 

Don Bosco Durai commented on RANGER-612:
----------------------------------------

I had an offline discussion with Madhan and he clarified the use case. This 
applies with the introduction of Tag based policies, where if there is an 
explicit allow to users and groups for the tag. And if any users/groups are not 
allowed in that policy, then Ranger shouldn't fallback to HDFS native 
permissions, but straight out deny the request.

This makes sense, because the admin's intention here is to block (or give 
explicit permissions) to certain users for the resource. When the intention is 
explicit, then all other policies including from HDFS native permissions 
shouldn't be considered.

It seems the confusion was due to the way the title is written. It sounded that 
it applies any resource based policies. I think, it should mention something 
like "If there is explicit allow policy in Ranger, then Ranger shouldn't fall 
back to native permissions". This will apply only for HDFS and YARN for now. 
Because in others, we don't fall back to native policies.

> Update HDFS plugin to fallback to hadoop-acl only when there is no Ranger 
> policy to determine the authorization
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-612
>                 URL: https://issues.apache.org/jira/browse/RANGER-612
>             Project: Ranger
>          Issue Type: Sub-task
>          Components: plugins
>    Affects Versions: 0.5.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.5.0
>
>
> Currently (ranger-0.5), Ranger HDFS plugin does a fallback to hadoop-acl when 
> Ranger policies do not allow the requested access. This should be updated to 
> fallback only when Ranger policies do not determine the authorization i.e. 
> there is no Ranger policy to either ALLOW or DENY the access. This fix is 
> required to support scenarios where Ranger policies can DENY the access.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to