...
The policy model enhancements in RANGER-606 add the capability to explicitly deny access on the given conditions and also to specify excludes to allow-conditions and deny-conditions. Let’s use the same policies used in the previous section, but with an added condition to explicitly deny access to users in interns group.
Please note that after updates in RANGER-876, deny in policies is available only for services whose service-def has option enableDenyAndExceptionsInPolicies
set to true
, as shown below:
{
"name": "hdfs",
"description": "HDFS Repository",
"options": {
"enableDenyAndExceptionsInPolicies": "true"
}
}
Please refer to this wiki for details of REST APIs to update service-def.
2.2.1 HDFS policy for /finance folder access: allow users in finance group, deny all users in interns group
...
The introduction of deny conditions in the policy model requires the policies to be evaluated in a specific order to ensure that the final result is predictable. The following diagram captures the policy evaluation flow:
Following is the text version of the above diagram:
...