[jira] [Updated] (RANGER-3940) Add javascript includes(), intersects() polyfills for array prototype to RangerCommonConstants

Tue, 04 Oct 2022 13:17:04 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-3940?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Barbara Eckman updated RANGER-3940:
-----------------------------------
    Summary: Add javascript includes(), intersects() polyfills for array 
prototype to RangerCommonConstants  (was: Add javascript includes, intersects 
polyfills for array prototype in ScriptEvaluator)

> Add javascript includes(), intersects() polyfills for array prototype to 
> RangerCommonConstants
> ----------------------------------------------------------------------------------------------
>
>                 Key: RANGER-3940
>                 URL: https://issues.apache.org/jira/browse/RANGER-3940
>             Project: Ranger
>          Issue Type: Improvement
>          Components: Ranger
>    Affects Versions: 3.0.0
>            Reporter: Barbara Eckman
>            Priority: Major
>
> We have a need to do set inclusion and intersection checking in policy 
> conditions.  Currently, array.includes() and array.intersects() are not 
> supported by the Nashorn engine.  We have written javascript "polyfills" that 
> add includes() and intersects() to the array prototype.  We want to add them 
> to org.apache.ranger.plugin.util.RangerCommonConstants, so that the constants 
> may be added to SCRIPT_PREEXEC in 
> org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator.
> {*}Business Use Case{*}:  For example, is the business partner named in the 
> table's _partner_ column among those whose data the user has permission to 
> see?   Currently in our row filter policy this must be expressed as: 
> {_}${\{USER.partners}}.indexOf(partner) > -1{_}.  It would be nice to instead 
> write _${\{USER.partners}}.includes(partner)._  
> More significantly, we need to test for set intersection.  For example, our 
> tables are tagged with the _partner_ tag, which has an attribute _value_ that 
> contains an array of partners whose data is included in the table.*  If there 
> is no partner in common, ie no intersection, between the partner tag.value 
> array and the USER.partners array, the user should be denied access to the 
> table.   Currently in our tag policy this is expressed as:
> _var result = TAG.value.split(",").filter(function(n) {_
>   _return USER.partners.indexOf(n) > -1;_
> _}); result.length != 0;_
> We would much prefer this direct way to express intersection:
> _TAG.value.split(",").intersects(USER.partners);_
> -----
> {_}*{_}Actually, a comma-separated string of partners which we convert to an 
> array using split, since Ranger can't currently handle arrays as tag 
> attributes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to