[
https://issues.apache.org/jira/browse/RANGER-3567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-3567:
-------------------------------------
Description:
It will be useful to be able to specify policy resources using user attributes
- like
* path=/data/{{{}$\{{USER.dept{}}}}}/*
** matches path /data/sales for users with attribute dept=sales
** matches path /data/mktg for user with attribute dept=mktg
* database=test_{{{}$\{{USER.dept{}}}}}, table={{{}$\{{USER._name{}}}}}
** matches database _test_sales_ and table _scot_ for user scot with attribute
dept=sales
** matches database _test_mktg_ and table _emily_ for user emily with
attribute dept=mktg
Note that Ranger already supports {{tokens}} in policy resources - like
* database=test_{{{{}USER{}}}}
* database=test_{{{{}OWNER{}}}}
* path=/data/sales/{{{{}FILENAME{}}}}
Policy resources should be able to include these tokens, in addition to
references to user attributes - like:
* database=test_{{{}$\{{USER.dept{}}}}}_{{{{}USER{}}}}
* path=/data/{{{}$\{{USER.dept{}}}}}/users/{{{{}USER{}}}}
When a policy resource has both user-attribute expressions and tokens, Ranger
policy engine should perform the following in the given order:
# replace user-attribute expressions with its value
example: test_{{{}$\{{USER.dept{}}}}}_{{{{}USER{}}}} will be replaced with
test_sales_{{{{}USER{}}}}
# then replace token
example: test_sales_{{{{}USER{}}}} will be replaced with test_sales_user1
A special case to note: when the value user-attribute expression evaluates to
contains token(s), for example to user_{{{{}USER{}}}}, this token will also be
replaced by step #2 above.
was:
It will be useful to be able to specify policy resources using user attributes
- like
* path=/data/{{${{USER.dept}}}}/*
** matches path /data/sales for users with attribute dept=sales
** matches path /data/mktg for user with attribute dept=mktg
* database=test_{{${{USER.dept}}}}, table={{${{USER._name}}}}
** matches database _test_sales_ and table _scot_ for user scot with attribute
dept=sales
** matches database _test_mktg_ and table _emily_ for user emily with
attribute dept=mktg
> support for use of user attributes in policy resources
> ------------------------------------------------------
>
> Key: RANGER-3567
> URL: https://issues.apache.org/jira/browse/RANGER-3567
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
> Fix For: 3.0.0, 2.3.0
>
> Attachments: RANGER-3567.patch
>
>
> It will be useful to be able to specify policy resources using user
> attributes - like
> * path=/data/{{{}$\{{USER.dept{}}}}}/*
> ** matches path /data/sales for users with attribute dept=sales
> ** matches path /data/mktg for user with attribute dept=mktg
> * database=test_{{{}$\{{USER.dept{}}}}}, table={{{}$\{{USER._name{}}}}}
> ** matches database _test_sales_ and table _scot_ for user scot with
> attribute dept=sales
> ** matches database _test_mktg_ and table _emily_ for user emily with
> attribute dept=mktg
>
> Note that Ranger already supports {{tokens}} in policy resources - like
> * database=test_{{{{}USER{}}}}
> * database=test_{{{{}OWNER{}}}}
> * path=/data/sales/{{{{}FILENAME{}}}}
> Policy resources should be able to include these tokens, in addition to
> references to user attributes - like:
> * database=test_{{{}$\{{USER.dept{}}}}}_{{{{}USER{}}}}
> * path=/data/{{{}$\{{USER.dept{}}}}}/users/{{{{}USER{}}}}
>
> When a policy resource has both user-attribute expressions and tokens, Ranger
> policy engine should perform the following in the given order:
> # replace user-attribute expressions with its value
> example: test_{{{}$\{{USER.dept{}}}}}_{{{{}USER{}}}} will be replaced with
> test_sales_{{{{}USER{}}}}
> # then replace token
> example: test_sales_{{{{}USER{}}}} will be replaced with test_sales_user1
> A special case to note: when the value user-attribute expression evaluates to
> contains token(s), for example to user_{{{{}USER{}}}}, this token will also
> be replaced by step #2 above.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
