atlas-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alberto Romero (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (ATLAS-2784) Wildcards not supported for authorization granularity in Ranger policies
Date Mon, 09 Jul 2018 13:27:00 GMT

     [ https://issues.apache.org/jira/browse/ATLAS-2784?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alberto Romero updated ATLAS-2784:
----------------------------------
    Description: 
Creating Ranger policies for Atlas resources (such as entities, types, terms, taxonomies)
does not allow for actual multitenancy or segregation of permissions due to policies ignoring
wildcards (*). For example, cannot define a policy for type "user_*" to allow users or groups
of users to create, read or update only types that start with the string "user_".

The problem is that Atlas throws a 403 error "You are not authorized for READ on [ENTITY]
: * *"* even when trying to read a specific entity that would match the pattern that contains
the wildcard. In the UI is exactly the same. The expected behaviour would be for the user
to only be able to see entities, terms, etc that match the pattern but the fact is that it
complains about not having being able to READ on [ENTITY] : *. The *** in error is the clue
there, it is actually expecting access to everything.
 It is only when we add the users to a policy that gives them access to '*' that it works
for them.

  was:
Creating Ranger policies for Atlas resources (such as entities, types, terms, taxonomies)
does not allow for actual multitenancy or segregation of permissions due to policies ignoring
wildcards (*). For example, cannot define a policy for type "user_*" to allow users or groups
of users to create, read or update only types that start with the string "user_".

The problem is that Atlas throws a 403 error "You are not authorized for READ on [ENTITY]
: *" even when trying to read a specific entity that would match the pattern that contains
the wildcard. In the UI is exactly the same. The expected behaviour would be for the user
to only be able to see entities, terms, etc that match the pattern but the fact is that it
complains about not having being able to READ on [ENTITY] : *. The '*' in error is the clue
there, it is actually expecting access to everything.
It is only when we add the users to a policy that gives them access to '*' that it works for
them.


> Wildcards not supported for authorization granularity in Ranger policies
> ------------------------------------------------------------------------
>
>                 Key: ATLAS-2784
>                 URL: https://issues.apache.org/jira/browse/ATLAS-2784
>             Project: Atlas
>          Issue Type: Improvement
>          Components:  atlas-core
>    Affects Versions: 0.8.2
>            Reporter: Alberto Romero
>            Priority: Major
>
> Creating Ranger policies for Atlas resources (such as entities, types, terms, taxonomies)
does not allow for actual multitenancy or segregation of permissions due to policies ignoring
wildcards (*). For example, cannot define a policy for type "user_*" to allow users or groups
of users to create, read or update only types that start with the string "user_".
> The problem is that Atlas throws a 403 error "You are not authorized for READ on [ENTITY]
: * *"* even when trying to read a specific entity that would match the pattern that contains
the wildcard. In the UI is exactly the same. The expected behaviour would be for the user
to only be able to see entities, terms, etc that match the pattern but the fact is that it
complains about not having being able to READ on [ENTITY] : *. The *** in error is the clue
there, it is actually expecting access to everything.
>  It is only when we add the users to a policy that gives them access to '*' that it works
for them.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message