You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Subhrat Chaudhary (Jira)" <ji...@apache.org> on 2023/04/12 08:44:00 UTC

[jira] [Created] (RANGER-4184) ABAC Expression in policy condition at policy level does not return expected ResourceACL

Subhrat Chaudhary created RANGER-4184:
-----------------------------------------

             Summary: ABAC Expression in policy condition at policy level does not return expected ResourceACL
                 Key: RANGER-4184
                 URL: https://issues.apache.org/jira/browse/RANGER-4184
             Project: Ranger
          Issue Type: Bug
          Components: plugins
            Reporter: Subhrat Chaudhary
            Assignee: Subhrat Chaudhary


When an ABAC expression e.g. HAS_TAG('PII') is added to policy condition at policy level, expected ResourceACLs are not returned.

 

Steps to reproduce:
 * Create following tags for Hive:
 ** PII: database=testdb, table=employee, columns=name.dept
 ** PII_NAME: database=testdb, table=employee, columns=name
 * Create a tag based policy:
 ** TAGS: PII
 ** Policy condition at policy level: HAS_TAG('PII_NAME')
 * Allow policy item:
 ** User: joe
 ** Component: Hive, Permissions: Select

For both of the following resource definition in the request sent:
 * 
{code:java}
{ownerUser={devtest} elements={database=testdb; column=name; table=employee; } }{code}

 * 
{code:java}
{ownerUser={devtest} elements={database=testdb; column=dept; table=employee; } }{code}

The ResourceACL received is as below:
{code:java}
{UserACLs={user=joe:permissions={{Permission=Select, value=ALLOWED, final=true},{RangerPolicyID=123},},}, GroupACLs={}, RoleACLs={}, rowFilters=[], dataMasks=[]}, rowFilters=[], dataMasks=[]{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)