[ https://issues.apache.org/jira/browse/RANGER-3526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Madhan Neethiraj updated RANGER-3526: ------------------------------------- Attachment: RANGER-3526.patch > policy evaluation ordering to use name as secondary sorting key > --------------------------------------------------------------- > > Key: RANGER-3526 > URL: https://issues.apache.org/jira/browse/RANGER-3526 > Project: Ranger > Issue Type: Improvement > Components: plugins > Reporter: Madhan Neethiraj > Assignee: Madhan Neethiraj > Priority: Major > Attachments: RANGER-3526.patch > > > Policy engine evaluates policies in the following order: priority, has-deny, > has-no-deny. When multiple policies have same priority/has-deny/has-no-deny, > the ordering is not deterministic. This doesn't impact the result for access > policies - as all denies will be evaluated before allows. However, the result > for masking/row-filter can vary when multiple policies exists for a given > resource, and these policies define different mask/filter for a given > user/group/role. > > Given name of a policy is unique within a service, using policy name as the > secondary sorting key will result in deterministic evaluation order. -- This message was sent by Atlassian Jira (v8.20.1#820001)