[jira] [Created] (RANGER-3940) Add javascript includes, intersects polyfills for array prototype in ScriptEvaluator

Tue, 04 Oct 2022 13:16:40 -0700 

Barbara Eckman created RANGER-3940:
--------------------------------------

             Summary: Add javascript includes, intersects polyfills for array 
prototype in ScriptEvaluator
                 Key: RANGER-3940
                 URL: https://issues.apache.org/jira/browse/RANGER-3940
             Project: Ranger
          Issue Type: Improvement
          Components: Ranger
    Affects Versions: 3.0.0
            Reporter: Barbara Eckman


We have a need to do set inclusion and intersection checking in policy 
conditions.  Currently, array.includes() and array.intersects() are not 
supported by the Nashorn engine.  We have written javascript "polyfills" that 
add includes() and intersects() to the array prototype.  We want to add them to 
org.apache.ranger.plugin.util.RangerCommonConstants, so that the constants may 
be added to SCRIPT_PREEXEC in 
org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator.

{*}Business Use Case{*}:  For example, is the business partner named in the 
table's _partner_ column among those whose data the user has permission to see? 
  Currently in our row filter policy this must be expressed as: 
{_}${\{USER.partners}}.indexOf(partner) > -1{_}.  It would be nice to instead 
write _${\{USER.partners}}.includes(partner)._  

More significantly, we need to test for set intersection.  For example, our 
tables are tagged with the _partner_ tag, which has an attribute _value_ that 
contains an array of partners whose data is included in the table.*  If there 
is no partner in common, ie no intersection, between the partner tag.value 
array and the USER.partners array, the user should be denied access to the 
table.   Currently in our tag policy this is expressed as:

_var result = TAG.value.split(",").filter(function(n) {_
  _return USER.partners.indexOf(n) > -1;_
_}); result.length != 0;_

We would much prefer this direct way to express intersection:

_TAG.value.split(",").intersects(USER.partners);_

-----

{_}*{_}Actually, a comma-separated string of partners which we convert to an 
array using split, since Ranger can't currently handle arrays as tag attributes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to