[jira] [Commented] (RANGER-1199) Optimize tag-download to include only tags that have policies

Wed, 14 Dec 2016 11:39:27 -0800 

    [ 
https://issues.apache.org/jira/browse/RANGER-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15749264#comment-15749264
 ] 

Madhan Neethiraj commented on RANGER-1199:
------------------------------------------

The side effect of this optimization is that only the tags that have tag-based 
policies will be shown in the audit logs. Consider the following:
- table 'default.tbl1' is tagged with PII and FINANCE tags
- there is a tag-based policy for PII
- there is no tag-based policy for FINACE

Audit log for access to 'default.tbl1' will only show tag PII and not FINANCE. 
Prior to this optimization, the audit log would show all the tags associated 
with the resource - irrespective of whether tag-based policy exist for a tag or 
not.

I think it will be useful to have the ability to 'turn-off' this optimization - 
via a Ranger Admin configuration, to get back the earlier behavior. However, 
the optimization should be enabled by default.

[~abhayk] - please review.

> Optimize tag-download to include only tags that have policies
> -------------------------------------------------------------
>
>                 Key: RANGER-1199
>                 URL: https://issues.apache.org/jira/browse/RANGER-1199
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin
>    Affects Versions: 0.6.0, 0.6.1
>            Reporter: Madhan Neethiraj
>            Assignee: Abhay Kulkarni
>             Fix For: 0.7.0
>
>
> For the calls to download tags from plugins, Ranger Admin returns all the 
> service-resources that have one or more tags associated. This can be 
> optimized to include only service-resources that have tags for which policies 
> exists.
> For example, if tag-based policies exists for tags PII and PCI, Ranger Admin 
> should return service-resources that are associated with PII or PCI tags 
> only; any service-resource that is not associated with either of these tags 
> should be excluded. In addition to reducing the size of the tag-download, 
> this can improve policy-engine performance by not having to deal with tags 
> that don't have policies.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to