• Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.0.0
    • 3.0.0
    • Ranger
    • None


      Datasets and projects in Ranger can be made accessible to users via policies. These policies use the same data structure as regular access-control policies of Ranger. However, instead of using existing policy management APIs, dataset/project policies should be managed only via GDS APIs for the following reasons:

      1. Users having admin/policy-admin privilege on the dataset/project should be allowed to manage policies, which is different from other policies which require the user to have wider admin privilege or delegated-admin privilege on the resource.
      2. Policies for a dataset/project should be deleted when the dataset/project is deleted.
      3. Rename of a dataset/project should not impact enforcement of GDS policies. This might require GDS policies to refer to dataset/project via their IDs instead of names. Having GDS specific policy APIs will make it easier to handle this.
      4. It is critical that dataset/project policies don't support wildcards or multiple resources. Supporting such will break the GDS UI that provides a single place to view all grants for a given dataset/project. (though wildcard/multiple-resources can be restricted via service-def, power users will find a way to update the service-def to get around this restriction - which can make GDS UI show incorrect grants).


        1. RANGER-4445.patch
          129 kB
          Madhan Neethiraj



            madhan Madhan Neethiraj
            madhan Madhan Neethiraj
            0 Vote for this issue
            1 Start watching this issue