Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-512

Policy creation should fail if any user/group specified does not exist in Ranger

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.5.0
    • Fix Version/s: 0.5.0
    • Component/s: admin
    • Labels:
      None

      Description

      If any user or group specified in the policy-being-created (or updated) does not exist in Ranger, currently the policy is created (or updated) after ignoring non-existent users and groups.

      This causes the REST client creating the policy to assume the policy was created as given. However, since the created policy doesn't include some users/groups, some users will not be authorized by the Ranger policy as expected. For example,
      1) create a policy that grants select access to user1 on table accounts
      2) perform select on table accounts as user1

      Step #2 above will fail if user1 did not exist in Ranger at the time the policy was created. Instead of ignoring the non-existent users/groups, policy creation should fail - so that the caller will be able to do necessary corrective action or retry after a wait (to give time for the user to sync from LDAP/Unix to Ranger).

        Attachments

          Activity

            People

            • Assignee:
              madhan Madhan Neethiraj
              Reporter:
              madhan Madhan Neethiraj
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: