Support Questions
Find answers, ask questions, and share your expertise

If Falcon is used to move a file from a folder with Ranger folder-level security policy to a new folder with less restrictions, which policy will apply to the file?

Solved Go to solution
Highlighted

If Falcon is used to move a file from a folder with Ranger folder-level security policy to a new folder with less restrictions, which policy will apply to the file?

If Falcon is used to move a file from a folder with Ranger folder-level security policy to a new folder with less restrictions, which policy will apply to the file? If the less restrictive one, is this not a vulnerability? How can we prevent that?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: If Falcon is used to move a file from a folder with Ranger folder-level security policy to a new folder with less restrictions, which policy will apply to the file?

Contributor

It is not a vulnerability. The Ranger policies do not move with the data. If the new folder has less restrictions, administrators would have to make sure appropriate policies are set. Data can be moved from production to development cluster or to archival/DR. The destination folder rules may not map always to source folder rules. Good part here is that Ranger policy can be set even before folders are created, so administrators should set Ranger policies before moving data.

View solution in original post

2 REPLIES 2
Highlighted

Re: If Falcon is used to move a file from a folder with Ranger folder-level security policy to a new folder with less restrictions, which policy will apply to the file?

Contributor

It is not a vulnerability. The Ranger policies do not move with the data. If the new folder has less restrictions, administrators would have to make sure appropriate policies are set. Data can be moved from production to development cluster or to archival/DR. The destination folder rules may not map always to source folder rules. Good part here is that Ranger policy can be set even before folders are created, so administrators should set Ranger policies before moving data.

View solution in original post

Highlighted

Re: If Falcon is used to move a file from a folder with Ranger folder-level security policy to a new folder with less restrictions, which policy will apply to the file?

Elaborating on the answer above:

The Ranger folder policies are not transferred with file. Administrators have to ensure appropriate policies are set on the destination folder.

However, Falcon workflows are authenticated and authorized against Ranger based on their creator’s credentials/ACLs. Therefor, if a user does not have permission to read a specific file/folder, he she will not have access to it through Falcon either and hence will not be able to create a “copy” workflow for it.

http://falcon.apache.org/Security.html