You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Ramesh Bhanan Byndoor (Jira)" <ji...@apache.org> on 2022/07/23 19:21:00 UTC

[jira] [Created] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource

Ramesh Bhanan Byndoor created RANGER-3839:
---------------------------------------------

             Summary: Ranger Tag based policy with ability to show metadata for covered resource
                 Key: RANGER-3839
                 URL: https://issues.apache.org/jira/browse/RANGER-3839
             Project: Ranger
          Issue Type: Test
          Components: plugins
            Reporter: Ramesh Bhanan Byndoor


Have a use case around this for trino and hive where user should be able to see allowed parents along with child table

 

For below case from here

[https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]

 

Resource 

 
{code:java}
{
     "serviceName": "cl1_hive",
     "resourceElements": {
         "database": {
             "values": ["employee"]
         },
         "table": {
             "values": ["personal"]
         },
         "column": {
             "values": ["city"]
         }
     },
     "id": 3,
     "guid": "employee.personal.city-guid"
 }
 {code}
Policy
{code:java}
{
     "id": 1,
     "name": "RESTRICTED_TAG_POLICY",
     "isEnabled": true,
     "isAuditEnabled": true,
     "resources": {
         "tag": {
             "values": ["RESTRICTED"],
             "isRecursive": false
         }
     },
     "policyItems": [{
         "accesses": [{
             "type": "hive:select",
             "isAllowed": true
         }],
         "users": ["hive", "user1"],
         "groups": [],
         "delegateAdmin": false,
         "conditions": [{
             "type": "expression",
             "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
         }]
     }]
 }{code}
The test below is working as expected
{code:java}
{
    "name": "ALLOW 'select city from employee.personal;' for user1 using RESTRICTED tag",
    "request": {
        "resource": {
            "elements": {
                "database": "employee",
                "table": "personal",
                "column": "city"
            }
        },
        "accessType": "select",
        "user": "user1",
        "userGroups": [],
        "requestData": "select city from employee.personal;' for user1"
    },
    "result": {
        "isAudited": true,
        "isAllowed": true,
        "policyId": 101
    }
}{code}
The expectation is how to allow? (without {color:#FF0000}allowing access anything apart from this{color})

{*}show databases{*};— with results *employee*

*use employee;*

*show tables; –* with results *personal* 

 

Please suggest possible ways to solve this/policy creation. 

 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)