[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17572431#comment-17572431
]
Ramesh Bhanan Byndoor edited comment on RANGER-3839 at 7/28/22 12:49 PM:
-------------------------------------------------------------------------
[~madhan] Thanks a ton! for the detailed explanation.
{quote}If you are looking to check if the user has permission on any resource
within a given resource, then resource-match-scope should be set as
SELF_OR_DESCENDENTS. What issue do you see with is.
{quote}
The challenge i see with _SELF_OR_DESCENDENTS_ is when DenyAllElse is present
on any of the policies which share the same {*}hierarchy{*}, _any denies for
all. For example, I have the simple policies below
{code:java}
"policies":[
{"id":101,"name":"db=hr; table=tab1;","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["hr"]},"table":{"values":["tab1"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
],
"isDenyAllElse": true
},
{"id":102,"name":"db=hr; table=tab2;","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["hr"]},"table":{"values":["tab2"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false}
],
"isDenyAllElse": true
}
] {code}
What I have seen is the below behavior, It should not have failed TEST#1 and
TEST#2
{code:java}
"tests":[
{
"name":"ALLOW 'use hr;' for user1 ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"","user":"user1","userGroups":[],"requestData":"use hr;'
for user1"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":102}
},
{
"name":"ALLOW 'use hr;' for user2 ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"","user":"user2","userGroups":[],"requestData":"use hr;'
for user2"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":101}
},
{
"name":"ALLOW 'tab2 for user2 ",
"request":{
"resource":{"elements":{"database":"hr","table":"tab2"}},
"accessType":"","user":"user2","userGroups":[],"requestData":"tab2 for
user2"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":102}
}
]{code}
The above is from 2.2.0 version of Ranger, Good news is with version 2.3.0, It
seems to be fixed, and below are the tests. Please confirm if this behavior is
fixed.
{code:java}
"tests":[
{
"name":"ALLOW 'use hr;' for user1 ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"","user":"user1","userGroups":[],"requestData":"use hr;'
for user1"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":101}
},
{
"name":"ALLOW 'use hr;' for user2 ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"","user":"user2","userGroups":[],"requestData":"use hr;'
for user2"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":102}
},
{
"name":"ALLOW 'tab2 for user2 ",
"request":{
"resource":{"elements":{"database":"hr","table":"tab2"}},
"accessType":"","user":"user2","userGroups":[],"requestData":"tab2 for
user2"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":102}
}
]{code}
was (Author: [email protected]):
[~madhan] Thanks a ton! for the detailed explanation.
{quote}If you are looking to check if the user has permission on any resource
within a given resource, then resource-match-scope should be set as
SELF_OR_DESCENDENTS. What issue do you see with is.
{quote}
The challenge i see with _SELF_OR_DESCENDENTS_ is when DenyAllElse is present
on any of the policies which share the same {*}hierarchy{*}, _any denies for
all. For example, I have the simple policies below
{code:java}
"policies":[
{"id":101,"name":"db=hr; table=tab1;","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["hr"]},"table":{"values":["tab1"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
],
"isDenyAllElse": true
},
{"id":102,"name":"db=hr; table=tab2;","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["hr"]},"table":{"values":["tab2"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false}
],
"isDenyAllElse": true
}
] {code}
What I have seen is the below behavior, It should not have failed TEST#1 and
TEST#2
{code:java}
"tests":[
{
"name":"ALLOW 'use hr;' for user1 ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"","user":"user1","userGroups":[],"requestData":"use hr;'
for user1"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":102}
},
{
"name":"ALLOW 'use hr;' for user2 ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"","user":"user2","userGroups":[],"requestData":"use hr;'
for user2"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":101}
},
{
"name":"ALLOW 'tab2 for user2 ",
"request":{
"resource":{"elements":{"database":"hr","table":"tab2"}},
"accessType":"","user":"user2","userGroups":[],"requestData":"tab2 for
user2"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":102}
}
]{code}
The above is from 2.2.0 version of Ranger, Good news is with version 2.3.0, It
seems to be fixed, and below are the tests. Please confirm if this behavior is
fixed.
{code:java}
"tests":[
{
"name":"ALLOW 'use hr;' for user1 ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"","user":"user1","userGroups":[],"requestData":"use hr;'
for user1"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":101}
},
{
"name":"ALLOW 'use hr;' for user2 ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"","user":"user2","userGroups":[],"requestData":"use hr;'
for user2"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":102}
},
{
"name":"ALLOW 'tab2 for user2 ",
"request":{
"resource":{"elements":{"database":"hr","table":"tab2"}},
"accessType":"","user":"user2","userGroups":[],"requestData":"tab2 for
user2"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":102}
}
]{code}
> Ranger Tag based policy with ability to show metadata for covered resource
> --------------------------------------------------------------------------
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
> Reporter: Ramesh Bhanan Byndoor
> Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for Trino where user should be able to see
> allowed parents along with child table
>
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>
> Resource
>
> {code:java}
> {
> "serviceName": "cl1_hive",
> "resourceElements": {
> "database": {
> "values": ["employee"]
> },
> "table": {
> "values": ["personal"]
> },
> "column": {
> "values": ["city"]
> }
> },
> "id": 3,
> "guid": "employee.personal.city-guid"
> }
> {code}
> Policy
> {code:java}
> {
> "id": 1,
> "name": "RESTRICTED_TAG_POLICY",
> "isEnabled": true,
> "isAuditEnabled": true,
> "resources": {
> "tag": {
> "values": ["RESTRICTED"],
> "isRecursive": false
> }
> },
> "policyItems": [{
> "accesses": [{
> "type": "hive:select",
> "isAllowed": true
> }],
> "users": ["hive", "user1"],
> "groups": [],
> "delegateAdmin": false,
> "conditions": [{
> "type": "expression",
> "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
> }]
> }]
> }{code}
> The test below is working as expected
> {code:java}
> {
> "name": "ALLOW 'select city from employee.personal;' for user1 using
> RESTRICTED tag",
> "request": {
> "resource": {
> "elements": {
> "database": "employee",
> "table": "personal",
> "column": "city"
> }
> },
> "accessType": "select",
> "user": "user1",
> "userGroups": [],
> "requestData": "select city from employee.personal;' for user1"
> },
> "result": {
> "isAudited": true,
> "isAllowed": true,
> "policyId": 101
> }
> }{code}
> The expectation is how to allow? (without {color:#ff0000}allowing access to
> anything apart from this{color})
> {*}show databases{*};— with results *employee*
> *use employee;*
> *show tables; –* with results *personal*
>
> Please suggest possible ways to solve this/policy creation.
> =====================================================================================================
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
