ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abhay Kulkarni (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-2066) Hbase column family access is authorized by a tagged column in the column family
Date Wed, 11 Apr 2018 21:54:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Abhay Kulkarni updated RANGER-2066:
-----------------------------------
    Summary: Hbase column family access is authorized by a tagged column in the column family
 (was: Hbase column family access is authorized by a tagged column)

> Hbase column family access is authorized by a tagged column in the column family
> --------------------------------------------------------------------------------
>
>                 Key: RANGER-2066
>                 URL: https://issues.apache.org/jira/browse/RANGER-2066
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 1.0.0, master
>            Reporter: Anuja Leekha
>            Priority: Major
>             Fix For: master, 1.1.0
>
>
> ERROR SCENARIO:
> Table emp has 2 col-families: personal_data(name,SSN,age) ; prof_data(role, manager)
>  Column emp/prof_data/role is tagged with OFFICIAL tag.
> Create following policies:
>  Resource policy allows Read on table=*, column-family=*,column=*  and policy for tag
OFFICIAL allows Read on OFFICIAL tag for a test_user.
> When test_user executes 'scan emp' command, two audit log records are created:
>  1. Resource: emp/personal_data
>  Name / Type: column-family
>  Allowed
>  Policy allowing: Access based policy [Tag column shows PII]
> 2. Resource: emp/prof_data
>  Name / Type: column-family
>  Allowed
>  Policy allowing: TAG based policy for OFFICIAL tag
> prof_data column-family should not be authorized by a tagged role column in it. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message