[
https://issues.apache.org/jira/browse/RANGER-704?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14968508#comment-14968508
]
Alok Lal commented on RANGER-704:
---------------------------------
Use case: We need a way to temporarily "disable" Ranger (take ranger out of the
picture) without having to bounce the service being authorized by Ranger. For
components that have fallback to native ACL this disabling would be a
fail-open. For those that don't this disabling would be fail-close.
In systems that allow fail-open this can serve as a powerful diagnostic tool
during implementation and configuration. The alternative to remove ranger
without having to lose your plugin configuration seems far too error prone. No?
> Service enable/disable should refresh the policies in the plugins
> -----------------------------------------------------------------
>
> Key: RANGER-704
> URL: https://issues.apache.org/jira/browse/RANGER-704
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Affects Versions: 0.5.0
> Reporter: Madhan Neethiraj
> Assignee: Abhay Kulkarni
>
> When a service is disabled, the plugins should be refreshed with empty policy
> list - as if no policy exists in the service. In this case, the components
> like HDFS and YARN will enforce component ACLs (since fallback is set to true
> by default); other components will deny any access - since there is no policy
> exists to allow any access. And when the service is enabled, the plugins
> should be refreshed with the policies in the service. To achieve this:
> - the policyVersion associated with the service should be incremented
> whenever the service is enabled or disabled. So that the next policy refresh
> call will send updated policy list
> - the policy refresh implementation should return empty policy list when
> service is disabled
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
