Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3617

incorrect deny for _any access due to tag policy

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.1.0, 2.2.0
    • 3.0.0, 2.3.0
    • plugins
    • None

    Description

      API to check if user has any access within a resource returns deny when a tag-based policy denies access to a child resource, even though another policy allows access to a different child resource. More details to reproduce the issue below:

      1. Policy on tag=RESTRICTED denies select access to user2
      2. A resource-based policy allows select access to user2 on database=*, table=*, column=*
      3. Column finance.tax_2016.name is tagged with RESTRICTED
      4. user2 is denied select on this column by above tag-based policy – this is as expected
      5. user2 is denied _any on finance database (like "use finance;") by above tag-based policy – which is incorrect
        Expected: access should have been allowed by above resource-based policy

       

      Attachments

        1. RANGER-3617.patch
          13 kB
          Madhan Neethiraj

        Issue Links

          fixes

          Bug - A problem which impairs or prevents the functions of the product. RANGER-3839 Ranger Tag based policy with ability to show metadata for covered resource

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link Patch in review board

          Activity

            People

              madhan Madhan Neethiraj
              madhan Madhan Neethiraj
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: