[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17571449#comment-17571449
]
Ramesh Bhanan Byndoor edited comment on RANGER-3839 at 7/26/22 2:17 PM:
------------------------------------------------------------------------
I am using Trino Ranger plugin and don't see this working as you noted, I see
the same behavior as I tried to replicate with the below test cases. Hope these
test cases explain this problem better.
In the policy engine, I have added this new test case.
{code:java}
@Test
public void testPolicyEngine_hiveForTag_filebased_meta() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_ancestor_meta.json" };
runTestsFromResourceFiles(conditionsTestResourceFiles);
} {code}
And the content of the test_ancestor_meta.json is attached
here,[^test_ancestor_meta.json]I
And my resource tags as [^resourceTags.json]
And my expectation is to pass (marked below TEST#1, TEST#2 ), but it fails.
Please check.
{code:java}
"tests":[
{
"name":"TEST#1 ALLOW 'use hr;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"use
hr;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"TEST#2 ALLOW 'describe hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"describe
hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"ALLOW 'select ssn from hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee",
"column":"ssn"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"select ssn
from hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
}
] {code}
I tried with resource matching scope as SELF_OR_DESCENDENTS, It succeeded but
it comes with a lot of challenges. Please let me know if this worked in HIVE,
what could be the reason.?
Thanks much for your time.
was (Author: [email protected]):
I am using Trino Ranger plugin and don't see this working as you noted, I see
the same behavior as I tried to replicate with the below test cases. Hope these
test cases explain this problem better.
In the policy engine, I have added this new test case.
{code:java}
@Test
public void testPolicyEngine_hiveForTag_filebased_meta() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_ancestor_meta.json" };
runTestsFromResourceFiles(conditionsTestResourceFiles);
} {code}
And the content of the test_ancestor_meta.json is attached
here,[^test_ancestor_meta.json]I
And my resource tags as [^resourceTags.json]
And my expectation is to pass (marked below TEST#1, TEST#2 ), but it fails.
Please check.
{code:java}
"tests":[
{
"name":"TEST#1 ALLOW 'use hr;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"use
hr;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"TEST#2 ALLOW 'describe hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"describe
hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"ALLOW 'select ssn from hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee",
"column":"ssn"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"select ssn
from hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
}
] {code}
I tried with resource matching scope as SELF_OR_DESCENDENTS, It succeeded but
it comes with a lot of challenges. Please let me know if this worked in HIVE
what could be the reason.?
Thanks much for your time.
> Ranger Tag based policy with ability to show metadata for covered resource
> --------------------------------------------------------------------------
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
> Reporter: Ramesh Bhanan Byndoor
> Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for Trino where user should be able to see
> allowed parents along with child table
>
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>
> Resource
>
> {code:java}
> {
> "serviceName": "cl1_hive",
> "resourceElements": {
> "database": {
> "values": ["employee"]
> },
> "table": {
> "values": ["personal"]
> },
> "column": {
> "values": ["city"]
> }
> },
> "id": 3,
> "guid": "employee.personal.city-guid"
> }
> {code}
> Policy
> {code:java}
> {
> "id": 1,
> "name": "RESTRICTED_TAG_POLICY",
> "isEnabled": true,
> "isAuditEnabled": true,
> "resources": {
> "tag": {
> "values": ["RESTRICTED"],
> "isRecursive": false
> }
> },
> "policyItems": [{
> "accesses": [{
> "type": "hive:select",
> "isAllowed": true
> }],
> "users": ["hive", "user1"],
> "groups": [],
> "delegateAdmin": false,
> "conditions": [{
> "type": "expression",
> "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
> }]
> }]
> }{code}
> The test below is working as expected
> {code:java}
> {
> "name": "ALLOW 'select city from employee.personal;' for user1 using
> RESTRICTED tag",
> "request": {
> "resource": {
> "elements": {
> "database": "employee",
> "table": "personal",
> "column": "city"
> }
> },
> "accessType": "select",
> "user": "user1",
> "userGroups": [],
> "requestData": "select city from employee.personal;' for user1"
> },
> "result": {
> "isAudited": true,
> "isAllowed": true,
> "policyId": 101
> }
> }{code}
> The expectation is how to allow? (without {color:#ff0000}allowing access to
> anything apart from this{color})
> {*}show databases{*};— with results *employee*
> *use employee;*
> *show tables; –* with results *personal*
>
> Please suggest possible ways to solve this/policy creation.
> =====================================================================================================
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
