You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Madhan Neethiraj <ma...@apache.org> on 2021/12/15 00:58:32 UTC
Review Request 73759: RANGER-3550: enhancement to support use of user/tag attributes in row-filter/condition expressions
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73759/
-----------------------------------------------------------
Review request for ranger, Abhishek Kumar, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-3550
https://issues.apache.org/jira/browse/RANGER-3550
Repository: ranger
Description
-------
updated row-filter and condition handling evaluate expressions given under markers '${{' and '}}'
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java 64f01c95f
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java 0831dde08
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java 71029dd12
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestExprResolver.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java b0782ecb5
agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java 798da052f
agents-common/src/test/java/org/apache/ranger/plugin/util/RangerRequestExprResolverTest.java PRE-CREATION
Diff: https://reviews.apache.org/r/73759/diff/1/
Testing
-------
- added test cases to validate evaluation of expressions
- verified Hive plugin row-filter expressions that include user attribute, like: "owner == '${{USER._name}}'
Thanks,
Madhan Neethiraj
Re: Review Request 73759: RANGER-3550: enhancement to support use of user/tag attributes in row-filter/condition expressions
Posted by Madhan Neethiraj <ma...@apache.org>.
> On Dec. 15, 2021, 6:51 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
> > Lines 105 (patched)
> > <https://reviews.apache.org/r/73759/diff/2/?file=2256611#file2256611line105>
> >
> > If value of SCRIPT_OPTION_ENABLE_JSON_CTX is set to "false" in the condition-definition, and the script contains VAR_NAMES_PATTERN, then what is expected to happen? Will the script evaluation fail?
if 'enableJsonCtx' is explicitly set to 'false' in the condition-def (in service-def), references to variables like TAG, USER, UG can fail, unless such variables are declared in the expression.
> On Dec. 15, 2021, 6:51 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
> > Line 648 (original), 648 (patched)
> > <https://reviews.apache.org/r/73759/diff/2/?file=2256612#file2256612line648>
> >
> > Is this comment relevant? If not, please consider removing it.
This is to alert that following variables shouldn't be included here, as they are defined irrespective of 'enableJsonCtx' value:
- SCRIPT_VAR_ctx = "ctx"
- SCRIPT_VAR_tag = "tag"
- SCRIPT_VAR_tagAttr = "tagAttr"
- Madhan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73759/#review223858
-----------------------------------------------------------
On Dec. 15, 2021, 8:28 a.m., Madhan Neethiraj wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73759/
> -----------------------------------------------------------
>
> (Updated Dec. 15, 2021, 8:28 a.m.)
>
>
> Review request for ranger, Abhishek Kumar, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3550
> https://issues.apache.org/jira/browse/RANGER-3550
>
>
> Repository: ranger
>
>
> Description
> -------
>
> updated row-filter and condition handling to evaluate expressions given under markers '${{' and '}}'
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java b94225b36
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java 64f01c95f
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java 0831dde08
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java 71029dd12
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestExprResolver.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java b0782ecb5
> agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java db7d3e582
> agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java 798da052f
> agents-common/src/test/java/org/apache/ranger/plugin/util/RangerRequestExprResolverTest.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/73759/diff/2/
>
>
> Testing
> -------
>
> - added test cases to validate evaluation of expressions
> - verified Hive plugin row-filter expressions that include user attribute, like: "owner == '${{USER._name}}'
>
>
> Thanks,
>
> Madhan Neethiraj
>
>
Re: Review Request 73759: RANGER-3550: enhancement to support use of user/tag attributes in row-filter/condition expressions
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73759/#review223858
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
Lines 105 (patched)
<https://reviews.apache.org/r/73759/#comment312893>
If value of SCRIPT_OPTION_ENABLE_JSON_CTX is set to "false" in the condition-definition, and the script contains VAR_NAMES_PATTERN, then what is expected to happen? Will the script evaluation fail?
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
Line 648 (original), 648 (patched)
<https://reviews.apache.org/r/73759/#comment312892>
Is this comment relevant? If not, please consider removing it.
- Abhay Kulkarni
On Dec. 15, 2021, 8:28 a.m., Madhan Neethiraj wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73759/
> -----------------------------------------------------------
>
> (Updated Dec. 15, 2021, 8:28 a.m.)
>
>
> Review request for ranger, Abhishek Kumar, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3550
> https://issues.apache.org/jira/browse/RANGER-3550
>
>
> Repository: ranger
>
>
> Description
> -------
>
> updated row-filter and condition handling to evaluate expressions given under markers '${{' and '}}'
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java b94225b36
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java 64f01c95f
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java 0831dde08
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java 71029dd12
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestExprResolver.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java b0782ecb5
> agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java db7d3e582
> agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java 798da052f
> agents-common/src/test/java/org/apache/ranger/plugin/util/RangerRequestExprResolverTest.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/73759/diff/2/
>
>
> Testing
> -------
>
> - added test cases to validate evaluation of expressions
> - verified Hive plugin row-filter expressions that include user attribute, like: "owner == '${{USER._name}}'
>
>
> Thanks,
>
> Madhan Neethiraj
>
>
Re: Review Request 73759: RANGER-3550: enhancement to support use of user/tag attributes in row-filter/condition expressions
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73759/#review223886
-----------------------------------------------------------
Ship it!
Ship It!
- Abhay Kulkarni
On Dec. 15, 2021, 8:28 a.m., Madhan Neethiraj wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73759/
> -----------------------------------------------------------
>
> (Updated Dec. 15, 2021, 8:28 a.m.)
>
>
> Review request for ranger, Abhishek Kumar, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3550
> https://issues.apache.org/jira/browse/RANGER-3550
>
>
> Repository: ranger
>
>
> Description
> -------
>
> updated row-filter and condition handling to evaluate expressions given under markers '${{' and '}}'
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java b94225b36
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java 64f01c95f
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java 0831dde08
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java 71029dd12
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestExprResolver.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java b0782ecb5
> agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java db7d3e582
> agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java 798da052f
> agents-common/src/test/java/org/apache/ranger/plugin/util/RangerRequestExprResolverTest.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/73759/diff/2/
>
>
> Testing
> -------
>
> - added test cases to validate evaluation of expressions
> - verified Hive plugin row-filter expressions that include user attribute, like: "owner == '${{USER._name}}'
>
>
> Thanks,
>
> Madhan Neethiraj
>
>
Re: Review Request 73759: RANGER-3550: enhancement to support use of user/tag attributes in row-filter/condition expressions
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73759/
-----------------------------------------------------------
(Updated Dec. 15, 2021, 8:28 a.m.)
Review request for ranger, Abhishek Kumar, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
updated to set default value for enableJsonCtx depending upon condition script expression
Bugs: RANGER-3550
https://issues.apache.org/jira/browse/RANGER-3550
Repository: ranger
Description
-------
updated row-filter and condition handling to evaluate expressions given under markers '${{' and '}}'
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java b94225b36
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java 64f01c95f
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java 0831dde08
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java 71029dd12
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestExprResolver.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/util/ScriptEngineUtil.java b0782ecb5
agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java db7d3e582
agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java 798da052f
agents-common/src/test/java/org/apache/ranger/plugin/util/RangerRequestExprResolverTest.java PRE-CREATION
Diff: https://reviews.apache.org/r/73759/diff/2/
Changes: https://reviews.apache.org/r/73759/diff/1-2/
Testing
-------
- added test cases to validate evaluation of expressions
- verified Hive plugin row-filter expressions that include user attribute, like: "owner == '${{USER._name}}'
Thanks,
Madhan Neethiraj