[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17572498#comment-17572498
]
Madhan Neethiraj commented on RANGER-3839:
------------------------------------------
{quote}The above is from 2.2.0 version of Ranger, Good news is with version
2.3.0, It seems to be fixed, and below are the tests. Please confirm if this
behavior is fixed.
{quote}
[[email protected]] - this issue is tracked in RANGER-3617 and was indeed
addressed in Apache Ranger 2.3.0 release.
> Ranger Tag based policy with ability to show metadata for covered resource
> --------------------------------------------------------------------------
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
> Reporter: Ramesh Bhanan Byndoor
> Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for Trino where user should be able to see
> allowed parents along with child table
>
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>
> Resource
>
> {code:java}
> {
> "serviceName": "cl1_hive",
> "resourceElements": {
> "database": {
> "values": ["employee"]
> },
> "table": {
> "values": ["personal"]
> },
> "column": {
> "values": ["city"]
> }
> },
> "id": 3,
> "guid": "employee.personal.city-guid"
> }
> {code}
> Policy
> {code:java}
> {
> "id": 1,
> "name": "RESTRICTED_TAG_POLICY",
> "isEnabled": true,
> "isAuditEnabled": true,
> "resources": {
> "tag": {
> "values": ["RESTRICTED"],
> "isRecursive": false
> }
> },
> "policyItems": [{
> "accesses": [{
> "type": "hive:select",
> "isAllowed": true
> }],
> "users": ["hive", "user1"],
> "groups": [],
> "delegateAdmin": false,
> "conditions": [{
> "type": "expression",
> "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
> }]
> }]
> }{code}
> The test below is working as expected
> {code:java}
> {
> "name": "ALLOW 'select city from employee.personal;' for user1 using
> RESTRICTED tag",
> "request": {
> "resource": {
> "elements": {
> "database": "employee",
> "table": "personal",
> "column": "city"
> }
> },
> "accessType": "select",
> "user": "user1",
> "userGroups": [],
> "requestData": "select city from employee.personal;' for user1"
> },
> "result": {
> "isAudited": true,
> "isAllowed": true,
> "policyId": 101
> }
> }{code}
> The expectation is how to allow? (without {color:#ff0000}allowing access to
> anything apart from this{color})
> {*}show databases{*};— with results *employee*
> *use employee;*
> *show tables; –* with results *personal*
>
> Please suggest possible ways to solve this/policy creation.
> =====================================================================================================
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
