ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abhay Kulkarni (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-2000) Policy & policy item effective dates to support time-bound and temporary authorization
Date Thu, 01 Mar 2018 17:22:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2000?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Abhay Kulkarni updated RANGER-2000:
-----------------------------------
    Description: 
Currently Ranger policies have effectiveness period that is permanent i.e. once authored they
can only be disabled or enabled. There are many use cases where such policies or even a policy
condition needs to be time bound. For example certain financial information about earnings
that is sensitive and restricted only until the earnings release date. 

it would be great to have the ability to specify with each policy a time horizon when it
is effective (i.e.) either be effective after a certain date and/or expire after a specific
date or only valid within a certain time window and have Ranger check whether the policy is
effective before evaluating in the policy engine. Therefore, policy authoring can be simplified
and does not require any subsequent action from the user, basically making policy authoring
a one time effort and users do not have to go back disable the policies once it is past the
expiration date.

This means that:
 # Ranger policy engine needs to be able to recognize the start and end times for policies 
and enforce them based on period of validity specified by the user.
 # Active policies should be checked not only based on the resource, user and environment
context but also whether the policy is effective.

  was:
Currently Ranger policies have effectiveness period that is permanent i.e. once authored they
can only be disabled or enabled. There are many use cases where such policies or even a policy
condition needs to be time bound. For example certain financial information about earnings
that is sensitive and restricted only until the earnings release date. 

it would be great to have the ability to specify with each policy or policy condition a time
horizon when it is effective (i.e.) either be effective after a certain date and/or expire
after a specific date or only valid within a certain time window and have Ranger check whether
the policy is effective before evaluating in the policy engine. Therefore, policy authoring
can be simplified and does not require any subsequent action from the user, basically making
policy authoring a one time effort and users do not have to go back disable the policies once
it is past the expiration date.

This means that:
 # Ranger policy engine needs to be able to recognize the start and end times for policies
or specific policy items (conditions) and enforce them based on period of validity specified
by the user.
 # Active policies should be checked not only based on the resource, user and environment
context but also whether the policy itself or policy item condition is effective.


> Policy & policy item effective dates to support time-bound and temporary authorization
> --------------------------------------------------------------------------------------
>
>                 Key: RANGER-2000
>                 URL: https://issues.apache.org/jira/browse/RANGER-2000
>             Project: Ranger
>          Issue Type: New Feature
>          Components: Ranger
>            Reporter: Srikanth Venkat
>            Assignee: Abhay Kulkarni
>            Priority: Major
>             Fix For: master
>
>
> Currently Ranger policies have effectiveness period that is permanent i.e. once authored
they can only be disabled or enabled. There are many use cases where such policies or even
a policy condition needs to be time bound. For example certain financial information about
earnings that is sensitive and restricted only until the earnings release date. 
> it would be great to have the ability to specify with each policy a time horizon when
it is effective (i.e.) either be effective after a certain date and/or expire after a specific
date or only valid within a certain time window and have Ranger check whether the policy is
effective before evaluating in the policy engine. Therefore, policy authoring can be simplified
and does not require any subsequent action from the user, basically making policy authoring
a one time effort and users do not have to go back disable the policies once it is past the
expiration date.
> This means that:
>  # Ranger policy engine needs to be able to recognize the start and end times for policies 
and enforce them based on period of validity specified by the user.
>  # Active policies should be checked not only based on the resource, user and environment
context but also whether the policy is effective.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message