In High Level Concepts: Ranger Tag database: This database or tables are used to store resources which are tagged. This would also have the attributes associated with the resource for the tag. Ranger tag database should be able store static or meta level tags. However, tags at the row or cell level should be stored at the component level or should be queried with the Tag Source System during policy execution from the component plugin.
What is "static" or "meta-level" tag? What would be an example of storing at Component level? Say, for hbase, does that mean that cell level tags be part of the cell data itself? Ranger Tag policies: Ranger needs to support policies which are defined at the Tag level. Since tag policies are configured at global level, it needs to address the permission set supported by the different components. TODO DISCUSS: Tag policies accross repository To me this seems like not policies but tags are global. To deal with a tag that applies to more than one type of repo policy would have to let user specify accesses for multiple repo-types. As an aside today policy names are unique within a service. That rule would have to reviewed, unless of course, we would have a "faux service" that these "global" policies belong to. Dynamic policy execution: These extendable policies can be used to support advanced use cases which needs special understanding the tag and attribute value. E.g. if there is policy which currently says it should expire in “90” days, but later on the requirement changes to “60” days, then the customer might design the tag based policies where the value “days” is accepted via policy definition or from other source, but do the computation in real-time based on when the resource was created. Out here, the resource would have tag with attribute “CreateTime” and it would be set when the source is tagged and sent to Ranger For this to work, won't policy have to allow for different ContextEnrichers based on type of component in which it is being evaluated? While evaluation can be generic given a CreateTime in context harvesting of the CreateTime from the context would necessarily be component dependent. In Requirements: Users would classify data externally in Apache Atlas or an external system So we don't want to provide a way for users to specify resource-tag association via Ranger UI. Not for now at least. Is it? One can envision "external" and "internal" resource-to-tag associations just as we have external and internal users today. In Use Cases/Scenarios: If data is classified with multiple tags, there could be a possibility that different policies exists for different tags. Users should be given access if any of the the policies provide access to the user or the group. Exceptions would be sensitive or classified policies where users could be explicitly granted or denied permissions. If a user is denied permission in a policy, it would take precedence over any access given in other policies This exceptional treatment – must pass or no other tags/policies matter – is it an attribute of the policy of the tag? From: Balaji Ganesan Reply-To: "[email protected]<mailto:[email protected]>" Date: Tuesday, August 11, 2015 at 12:59 PM To: "[email protected]<mailto:[email protected]>" Cc: "[email protected]<mailto:[email protected]>" Subject: Re: DISCUSS: Ranger-274 - Support for tag based policies +1 to Bosco's comment. Alok, would you be able to send the comments to this thread? On Tue, Aug 11, 2015 at 11:30 AM, Don Bosco Durai <[email protected]<mailto:[email protected]>> wrote: Comments and responses in Wiki page are not manageable and also everyone doesn¹t subscribe to wiki updates. I have seen most ASF projects discuss in user or dev mailing list. The discussions and threads gets archived for future references. It might be good to give your comments in this mailing list. Feedbacks can be consolidated and wiki can be updated by wiki page owner on regular basis. Thanks Bosco On 8/11/15, 11:13 AM, "Alok Lal" <[email protected]<mailto:[email protected]>> wrote: >I have added my comments directly on the wiki page! Perhaps that worked >for me due to permission levels? > > > > >On 8/11/15, 10:15 AM, "Don Bosco Durai" ><[email protected]<mailto:[email protected]> on behalf >of [email protected]<mailto:[email protected]>> wrote: > >>Added user mailing list. So others can also provide feedback. >> >>Thanks >> >>Bosco >> >>On 8/11/15, 1:05 AM, "Balaji Ganesan" >><[email protected]<mailto:[email protected]>> wrote: >> >>>I have added my initial thoughts here. >>> >>>https://cwiki.apache.org/confluence/display/RANGER/Tag+based+policy+requ >>>ir >>>ements >> >> >>
