ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Don Bosco Durai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-2232) Security Zones feature in Apache Ranger
Date Mon, 12 Nov 2018 02:44:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-2232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16683145#comment-16683145
] 

Don Bosco Durai commented on RANGER-2232:
-----------------------------------------

[~abhayk] This is a very good feature and you have articulated it very well in the document.

+1 from my side.

I do have a suggestion, while we are implementing this feature, let's not make it very much
tied to resource policies. We should be able to use security zones for other purposes also.
E.g. In the future, we should be able to implement other features like https://issues.apache.org/jira/browse/RANGER-693
using security zones.


> Security Zones feature in Apache Ranger
> ---------------------------------------
>
>                 Key: RANGER-2232
>                 URL: https://issues.apache.org/jira/browse/RANGER-2232
>             Project: Ranger
>          Issue Type: New Feature
>          Components: admin
>            Reporter: Madhan Neethiraj
>            Assignee: Abhay Kulkarni
>            Priority: Major
>         Attachments: Apache Ranger - Security Zones.pdf
>
>
> This is to introduce a new abstraction in Apache Ranger that would allow carving/bucketing
of resources in a service into multiple zones, for better administration of security policies.
This would enable multiple administrators to setup security policies for a service – based
on the zones to which they have been granted administration rights. 
> For example, let us consider 2 security zones ‘finance’ and ‘sales’:
>  - Security zone ‘finance’ includes all contents in Hive database named ‘finance’ 
>  - Security zone ‘sales’ includes all contents in ‘sales’ database 
>  - Set of users and groups are designated as administrators each zone 
>  - Users are allowed to setup policies only in zones in which they are administrators 
>  - Policies defined in a zone are applicable only for resources of the zone
>  - A zone can be extended to include resource from multiple services like HDFS, Hive,
HBase, Kafka, .., allowing administrators of a zone to setup policies for resources owned
by their organization across multiple services.
>  - Audit logs will include name of the zone in which the accessed resource resides.
Only users having appropriate permissions on the security zone can view its audit logs.
> Attached document has more details on various aspects of Security Zones.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message