[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramesh Bhanan Byndoor updated RANGER-3839:
------------------------------------------
Description:
Have a use case around this for Trino where user should be able to see allowed
parents along with child table
For below case from here
[https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
Resource
{code:java}
{
"serviceName": "cl1_hive",
"resourceElements": {
"database": {
"values": ["employee"]
},
"table": {
"values": ["personal"]
},
"column": {
"values": ["city"]
}
},
"id": 3,
"guid": "employee.personal.city-guid"
}
{code}
Policy
{code:java}
{
"id": 1,
"name": "RESTRICTED_TAG_POLICY",
"isEnabled": true,
"isAuditEnabled": true,
"resources": {
"tag": {
"values": ["RESTRICTED"],
"isRecursive": false
}
},
"policyItems": [{
"accesses": [{
"type": "hive:select",
"isAllowed": true
}],
"users": ["hive", "user1"],
"groups": [],
"delegateAdmin": false,
"conditions": [{
"type": "expression",
"values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
}]
}]
}{code}
The test below is working as expected
{code:java}
{
"name": "ALLOW 'select city from employee.personal;' for user1 using
RESTRICTED tag",
"request": {
"resource": {
"elements": {
"database": "employee",
"table": "personal",
"column": "city"
}
},
"accessType": "select",
"user": "user1",
"userGroups": [],
"requestData": "select city from employee.personal;' for user1"
},
"result": {
"isAudited": true,
"isAllowed": true,
"policyId": 101
}
}{code}
The expectation is how to allow? (without {color:#ff0000}allowing access to
anything apart from this{color})
{*}show databases{*};— with results *employee*
*use employee;*
*show tables; –* with results *personal*
Please suggest possible ways to solve this/policy creation.
=====================================================================================================
was:
Have a use case around this for trino and hive where user should be able to see
allowed parents along with child table
For below case from here
[https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
Resource
{code:java}
{
"serviceName": "cl1_hive",
"resourceElements": {
"database": {
"values": ["employee"]
},
"table": {
"values": ["personal"]
},
"column": {
"values": ["city"]
}
},
"id": 3,
"guid": "employee.personal.city-guid"
}
{code}
Policy
{code:java}
{
"id": 1,
"name": "RESTRICTED_TAG_POLICY",
"isEnabled": true,
"isAuditEnabled": true,
"resources": {
"tag": {
"values": ["RESTRICTED"],
"isRecursive": false
}
},
"policyItems": [{
"accesses": [{
"type": "hive:select",
"isAllowed": true
}],
"users": ["hive", "user1"],
"groups": [],
"delegateAdmin": false,
"conditions": [{
"type": "expression",
"values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
}]
}]
}{code}
The test below is working as expected
{code:java}
{
"name": "ALLOW 'select city from employee.personal;' for user1 using
RESTRICTED tag",
"request": {
"resource": {
"elements": {
"database": "employee",
"table": "personal",
"column": "city"
}
},
"accessType": "select",
"user": "user1",
"userGroups": [],
"requestData": "select city from employee.personal;' for user1"
},
"result": {
"isAudited": true,
"isAllowed": true,
"policyId": 101
}
}{code}
The expectation is how to allow? (without {color:#ff0000}allowing access to
anything apart from this{color})
{*}show databases{*};— with results *employee*
*use employee;*
*show tables; –* with results *personal*
Please suggest possible ways to solve this/policy creation.
=====================================================================================================
> Ranger Tag based policy with ability to show metadata for covered resource
> --------------------------------------------------------------------------
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
> Reporter: Ramesh Bhanan Byndoor
> Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for Trino where user should be able to see
> allowed parents along with child table
>
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>
> Resource
>
> {code:java}
> {
> "serviceName": "cl1_hive",
> "resourceElements": {
> "database": {
> "values": ["employee"]
> },
> "table": {
> "values": ["personal"]
> },
> "column": {
> "values": ["city"]
> }
> },
> "id": 3,
> "guid": "employee.personal.city-guid"
> }
> {code}
> Policy
> {code:java}
> {
> "id": 1,
> "name": "RESTRICTED_TAG_POLICY",
> "isEnabled": true,
> "isAuditEnabled": true,
> "resources": {
> "tag": {
> "values": ["RESTRICTED"],
> "isRecursive": false
> }
> },
> "policyItems": [{
> "accesses": [{
> "type": "hive:select",
> "isAllowed": true
> }],
> "users": ["hive", "user1"],
> "groups": [],
> "delegateAdmin": false,
> "conditions": [{
> "type": "expression",
> "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
> }]
> }]
> }{code}
> The test below is working as expected
> {code:java}
> {
> "name": "ALLOW 'select city from employee.personal;' for user1 using
> RESTRICTED tag",
> "request": {
> "resource": {
> "elements": {
> "database": "employee",
> "table": "personal",
> "column": "city"
> }
> },
> "accessType": "select",
> "user": "user1",
> "userGroups": [],
> "requestData": "select city from employee.personal;' for user1"
> },
> "result": {
> "isAudited": true,
> "isAllowed": true,
> "policyId": 101
> }
> }{code}
> The expectation is how to allow? (without {color:#ff0000}allowing access to
> anything apart from this{color})
> {*}show databases{*};— with results *employee*
> *use employee;*
> *show tables; –* with results *personal*
>
> Please suggest possible ways to solve this/policy creation.
> =====================================================================================================
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
