You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ch...@apache.org on 2022/08/22 05:42:32 UTC

[incubator-kyuubi] 01/03: [KYUUBI #3217] [DOCS] Doc for using Marcos in row-level filter in Authz

This is an automated email from the ASF dual-hosted git repository.

chengpan pushed a commit to branch branch-1.6
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git

commit e76f8f7b39faeb74ce4c9b39de97652c747d97ba
Author: liangbowen <li...@gf.com.cn>
AuthorDate: Fri Aug 19 09:55:56 2022 +0800

    [KYUUBI #3217] [DOCS] Doc for using Marcos in row-level filter in Authz
    
    ### _Why are the changes needed?_
    
    Support macros in Row-filter condition expression, introduced in Ranger 2.3 ([release notes](https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.3.0+-+Release+Notes)), is an major feature to significantly simplify the row-filter condition expression in practice by replacing explicit condition query by using user/group's attributes.
    
    - [RANGER-3605](https://issues.apache.org/jira/browse/RANGER-3605) : Support macros in row-filter/condition expressions
    - [RANGER-3550](https://issues.apache.org/jira/browse/RANGER-3550) : support for using user/tag attributes in row-filter expressions and conditions
    Consider user liangtiancheng with attribute born_city = guangzhou, we can define the row filter condition with city='${{USER.born_city}}' with the macro feature.
    
    However, This feature implicit relies on an config named `ranger.plugin.spark.enable.implicit.userstore.enricher` and the default value false will prevent RangerUserStoreEnricher fetching user/group and their attributes. Macros in row-filter condition will fallback to null value (as lack of user attributes value in UserStore of auth context) in script transformation unexpectedly and imperceptibly.
    
    Improving doc of ranger-spark-security.xml to aware of this feature and related config.
    
    ### _How was this patch tested?_
    - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
    
    - [ ] Add screenshots for manual tests if appropriate
    
    - [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
    
    Closes #3267 from bowenliang123/doc-ranger-macros.
    
    Closes #3217
    
    aee4b201 [liangbowen] plain text
    a7ec3bc9 [liangbowen] update docs and clearify difference between ranger.plugin.hive.policy.cache.dir and ranger.plugin.spark.policy.cache.dir configs
    4887bd1f [liangbowen] simplify with "row filter expressions"
    fa62402f [liangbowen] skip list items
    9dd1cd4c [liangbowen] h5. Using Marcos in Row Level Filters
    849bed5b [liangbowen] add docs for Additional configs for using Marcos in row-level filter
    
    Authored-by: liangbowen <li...@gf.com.cn>
    Signed-off-by: Kent Yao <ya...@apache.org>
---
 docs/security/authorization/spark/install.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/docs/security/authorization/spark/install.md b/docs/security/authorization/spark/install.md
index e04b34680..ec2892230 100644
--- a/docs/security/authorization/spark/install.md
+++ b/docs/security/authorization/spark/install.md
@@ -74,6 +74,23 @@ for pointing to the right Ranger admin server.
 
 </configuration>
 ```
+##### Using Macros in Row Level Filters
+
+Macros are now supported for using user/group/tag in row filter expressions, introduced in [Ranger 2.3](https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.3.0+-+Release+Notes). This feature helps significantly simplify row filter expressions by using user/group/tag's attributes instead of explicit conditions. Considering a user with an attribute `born_city` of value `Guangzhou `, the row filter condition as `city='${{USER.born_city}}'` will be transformed to `city='Guangz [...]
+   
+```xml
+    <property>
+        <name>ranger.plugin.spark.enable.implicit.userstore.enricher</name>
+        <value>true</value>
+        <description>Enable UserStoreEnricher for fetching user and group attributes if using macros or scripts in row-filters since Ranger 2.3</description>
+    </property>
+
+    <property>
+        <name>ranger.plugin.hive.policy.cache.dir</name>
+        <value>./a ranger hive service name/policycache</value>
+        <description>As Authz plugin reuses hive service def, a policy cache path is required for caching UserStore and Tags for "hive" service def, while "ranger.plugin.spark.policy.cache.dir config" is the path for caching policies in service. </description>
+    </property>    
+```
 
 #### ranger-spark-audit.xml