You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Subhrat Chaudhary (Jira)" <ji...@apache.org> on 2023/04/12 08:44:00 UTC
[jira] [Created] (RANGER-4184) ABAC Expression in policy condition at policy level does not return expected ResourceACL
Subhrat Chaudhary created RANGER-4184:
-----------------------------------------
Summary: ABAC Expression in policy condition at policy level does not return expected ResourceACL
Key: RANGER-4184
URL: https://issues.apache.org/jira/browse/RANGER-4184
Project: Ranger
Issue Type: Bug
Components: plugins
Reporter: Subhrat Chaudhary
Assignee: Subhrat Chaudhary
When an ABAC expression e.g. HAS_TAG('PII') is added to policy condition at policy level, expected ResourceACLs are not returned.
Steps to reproduce:
* Create following tags for Hive:
** PII: database=testdb, table=employee, columns=name.dept
** PII_NAME: database=testdb, table=employee, columns=name
* Create a tag based policy:
** TAGS: PII
** Policy condition at policy level: HAS_TAG('PII_NAME')
* Allow policy item:
** User: joe
** Component: Hive, Permissions: Select
For both of the following resource definition in the request sent:
*
{code:java}
{ownerUser={devtest} elements={database=testdb; column=name; table=employee; } }{code}
*
{code:java}
{ownerUser={devtest} elements={database=testdb; column=dept; table=employee; } }{code}
The ResourceACL received is as below:
{code:java}
{UserACLs={user=joe:permissions={{Permission=Select, value=ALLOWED, final=true},{RangerPolicyID=123},},}, GroupACLs={}, RoleACLs={}, rowFilters=[], dataMasks=[]}, rowFilters=[], dataMasks=[]{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)