Skip to content

Allow Duplicate Policies For Resources

Overview

By default, Apache Ranger does not allow the creation of multiple policies for the same resource. This behavior is designed to ensure that each resource has a unique policy for efficient access control management and to prevent confusion or conflicts between overlapping policies. However, there are scenarios where it may be necessary to create duplicate policies for the same resource to meet specific access control requirements.

Some examples of when you might need to create duplicate policies for the same resource include:

  • Automation: Automated policy creation tools may generate multiple policies for the same resource based on different criteria or conditions.

Need to Know

While enabling the ability to create duplicate policies for the same resource can be useful in certain scenarios, it can also lead to more complex policy management and potential conflicts between overlapping policies. Therefore, it is important to carefully consider the implications of allowing duplicate policies before enabling this feature.

  1. Complexity: Managing multiple policies for the same resource can increase the complexity of access control management and make it more difficult to track and enforce consistent policies across the organization.
  2. Conflicts: Overlapping policies can lead to conflicts or inconsistencies in access control decisions, potentially resulting in unintended consequences. If there are multiple ALLOW policies for the same resource, Ranger will grant access based on the first matching policy.

⚠ Limitations

  1. If this feature is disabled, then any existing duplicate policies for the same resource will not be removed automatically. You would need to manually delete the duplicate policies from the Ranger Admin UI or using the Ranger Admin API.

Configuration

To enable the ability to create duplicate policies for the same resource in Apache Ranger, you can set the RANGER_ALLOW_DUPLICATE_POLICY configuration parameter to true. This configuration allows you to create multiple policies for the same resource without verifying if a similar policy already exists.

Go to the server where Privacera Manager is installed and navigate to the configuration directory:

Bash
1
2
3
4
cd ~/privacera/privacera-manager/config
# Copy the sample vars file to the custom vars directory if it does not exist in custom-vars directory
cp -n sample-vars/vars.ranger.admin.yml custom-vars/
vi custom-vars/vars.ranger.admin.yml

Add the following property and set it to true. If the property already exists, update the value to true:

YAML
1
RANGER_ALLOW_DUPLICATE_POLICY: "true"

After making the changes, save the file and run the following command to apply the configuration changes and restart the Ranger Admin service:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1
2
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade

Disabling Duplicate Policies

You can disable the ability to create duplicate policies for the same resource by setting the RANGER_ALLOW_DUPLICATE_POLICY configuration parameter to false. This setting prevents the creation of duplicate policies for the same resource and ensures that each resource has a unique policy. However, changing this setting from true to false would not remove the existing duplicate policies. You would need to manually delete the duplicate policies from the Ranger Admin UI or using the Ranger Admin API.

Comments