You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Barbara Eckman (Jira)" <ji...@apache.org> on 2022/10/04 20:29:00 UTC

[jira] (RANGER-3940) Add javascript includes(), intersects() polyfills for array prototype to RangerCommonConstants

    [ https://issues.apache.org/jira/browse/RANGER-3940 ]


    Barbara Eckman deleted comment on RANGER-3940:
    ----------------------------------------

was (Author: barbara):
patch coming soon

> Add javascript includes(), intersects() polyfills for array prototype to RangerCommonConstants
> ----------------------------------------------------------------------------------------------
>
>                 Key: RANGER-3940
>                 URL: https://issues.apache.org/jira/browse/RANGER-3940
>             Project: Ranger
>          Issue Type: Improvement
>          Components: Ranger
>    Affects Versions: 3.0.0
>            Reporter: Barbara Eckman
>            Priority: Major
>         Attachments: 0001-added-RangerCommonConstants-for-javascript-polyfills.patch
>
>
> We have a need to do set inclusion and intersection checking in policy conditions.  Currently, array.includes() and array.intersects() are not supported by the Nashorn engine.  We have written javascript "polyfills" that add includes() and intersects() to the array prototype.  We want to add them to org.apache.ranger.plugin.util.RangerCommonConstants, so that the constants may be added to SCRIPT_PREEXEC in org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator.
> {*}Business Use Case{*}:  For example, is the business partner named in the table's _partner_ column among those whose data the user has permission to see?   Currently in our row filter policy this must be expressed as: {_}${{{}USER.partners{}}}.indexOf(partner) > -1{_}.  It would be nice to instead write _${{{}USER.partners{}}}.includes(partner)._  
> More significantly, we need to test for set intersection.  For example, our tables are tagged with the _partner_ tag, which has an attribute _value_ that contains an array of partners whose data is included in the table.*  If there is no partner in common, ie no intersection, between the partner tag.value array and the USER.partners array, the user should be denied access to the table.   Currently in our tag policy this is expressed as:
> _var result = TAG.value.split(",").filter(function( n ) {_
>   _return USER.partners.indexOf( n ) > -1;_
> _}); result.length != 0;_
> We would much prefer this direct way to express intersection:
> _TAG.value.split(",").intersects(USER.partners);_
> _--_
> {_}*{_}Actually, a comma-separated string of partners which we convert to an array using split, since Ranger can't currently handle arrays as tag attributes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)