> On Jan. 4, 2022, 2:35 a.m., Abhay Kulkarni wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java > > Lines 107 (patched) > > <https://reviews.apache.org/r/73782/diff/3/?file=2257423#file2257423line107> > > > > Is it possible to have token which resolves to a expression? It may be > > required to impose certain restrictions so that the evaluation process is > > not expected to repeatedly expand tokens and expressions until there is > > nothing left to resolve/substitute. > > Madhan Neethiraj wrote: > It is possible, but unless there are compelling usecases to allow such > resource names, I would suggest to start with the following: > 1. evaluate request expressions, if any, in policy-resource value > 2. then replace tokens, if any, in policy-resource value obtained after > #1 above
That sounds reasonable. However, this needs to be documented with this feature as a restriction/limitation (perhaps at least in the description of the JIRA). - Abhay ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73782/#review223922 ----------------------------------------------------------- On Jan. 4, 2022, 12:32 a.m., Madhan Neethiraj wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73782/ > ----------------------------------------------------------- > > (Updated Jan. 4, 2022, 12:32 a.m.) > > > Review request for ranger, Ankita Sinha, Kishor Gollapalliwar, Abhay > Kulkarni, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan > Periasamy. > > > Bugs: RANGER-3567 > https://issues.apache.org/jira/browse/RANGER-3567 > > > Repository: ranger > > > Description > ------- > > - updated policy resource matchers to support expressions that refer to > request attributes > - request expressions are enabled by default; can be disabled in a > resource-def by setting matcherOption replaceReqExpressions=false > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java > 8bfc16136 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java > d99a7d57c > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java > 80ed569f4 > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java > 7841838af > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java > 43297d66f > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerURLResourceMatcher.java > e21d9079d > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java > 6d8e293a6 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java > 474005570 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestExprResolver.java > d70430b70 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > 81c374400 > > agents-common/src/test/resources/policyengine/test_policyengine_resource_with_req_expressions.json > PRE-CREATION > > > Diff: https://reviews.apache.org/r/73782/diff/3/ > > > Testing > ------- > > - added test cases to validate resource names that include request expressions > > > Thanks, > > Madhan Neethiraj > >
