You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Ramesh Bhanan Byndoor (Jira)" <ji...@apache.org> on 2022/07/23 19:21:00 UTC
[jira] [Created] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
Ramesh Bhanan Byndoor created RANGER-3839:
---------------------------------------------
Summary: Ranger Tag based policy with ability to show metadata for covered resource
Key: RANGER-3839
URL: https://issues.apache.org/jira/browse/RANGER-3839
Project: Ranger
Issue Type: Test
Components: plugins
Reporter: Ramesh Bhanan Byndoor
Have a use case around this for trino and hive where user should be able to see allowed parents along with child table
For below case from here
[https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
Resource
{code:java}
{
"serviceName": "cl1_hive",
"resourceElements": {
"database": {
"values": ["employee"]
},
"table": {
"values": ["personal"]
},
"column": {
"values": ["city"]
}
},
"id": 3,
"guid": "employee.personal.city-guid"
}
{code}
Policy
{code:java}
{
"id": 1,
"name": "RESTRICTED_TAG_POLICY",
"isEnabled": true,
"isAuditEnabled": true,
"resources": {
"tag": {
"values": ["RESTRICTED"],
"isRecursive": false
}
},
"policyItems": [{
"accesses": [{
"type": "hive:select",
"isAllowed": true
}],
"users": ["hive", "user1"],
"groups": [],
"delegateAdmin": false,
"conditions": [{
"type": "expression",
"values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
}]
}]
}{code}
The test below is working as expected
{code:java}
{
"name": "ALLOW 'select city from employee.personal;' for user1 using RESTRICTED tag",
"request": {
"resource": {
"elements": {
"database": "employee",
"table": "personal",
"column": "city"
}
},
"accessType": "select",
"user": "user1",
"userGroups": [],
"requestData": "select city from employee.personal;' for user1"
},
"result": {
"isAudited": true,
"isAllowed": true,
"policyId": 101
}
}{code}
The expectation is how to allow? (without {color:#FF0000}allowing access anything apart from this{color})
{*}show databases{*};— with results *employee*
*use employee;*
*show tables; –* with results *personal*
Please suggest possible ways to solve this/policy creation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)