[
https://issues.apache.org/jira/browse/RANGER-3526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-3526:
-------------------------------------
Attachment: RANGER-3526.patch
> policy evaluation ordering to use name as secondary sorting key
> ---------------------------------------------------------------
>
> Key: RANGER-3526
> URL: https://issues.apache.org/jira/browse/RANGER-3526
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
> Attachments: RANGER-3526.patch
>
>
> Policy engine evaluates policies in the following order: priority, has-deny,
> has-no-deny. When multiple policies have same priority/has-deny/has-no-deny,
> the ordering is not deterministic. This doesn't impact the result for access
> policies - as all denies will be evaluated before allows. However, the result
> for masking/row-filter can vary when multiple policies exists for a given
> resource, and these policies define different mask/filter for a given
> user/group/role.
>
> Given name of a policy is unique within a service, using policy name as the
> secondary sorting key will result in deterministic evaluation order.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
