Support Questions

egarelnabi · ‎11-13-2015

If Falcon is used to move a file from a folder with Ranger folder-level security policy to a new folder with less restrictions, which policy will apply to the file? If the less restrictive one, is this not a vulnerability? How can we prevent that?

bganesan · ‎11-13-2015

It is not a vulnerability. The Ranger policies do not move with the data. If the new folder has less restrictions, administrators would have to make sure appropriate policies are set. Data can be moved from production to development cluster or to archival/DR. The destination folder rules may not map always to source folder rules. Good part here is that Ranger policy can be set even before folders are created, so administrators should set Ranger policies before moving data.

View solution in original post

bganesan · ‎11-13-2015

It is not a vulnerability. The Ranger policies do not move with the data. If the new folder has less restrictions, administrators would have to make sure appropriate policies are set. Data can be moved from production to development cluster or to archival/DR. The destination folder rules may not map always to source folder rules. Good part here is that Ranger policy can be set even before folders are created, so administrators should set Ranger policies before moving data.

egarelnabi · ‎11-13-2015

Elaborating on the answer above:

The Ranger folder policies are not transferred with file. Administrators have to ensure appropriate policies are set on the destination folder.

However, Falcon workflows are authenticated and authorized against Ranger based on their creator’s credentials/ACLs. Therefor, if a user does not have permission to read a specific file/folder, he she will not have access to it through Falcon either and hence will not be able to create a “copy” workflow for it.

http://falcon.apache.org/Security.html