[
https://issues.apache.org/jira/browse/RANGER-3940?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Barbara Eckman updated RANGER-3940:
-----------------------------------
Description:
We have a need to do set inclusion and intersection checking in policy
conditions. Currently, array.includes() and array.intersects() are not
supported by the Nashorn engine. We have written javascript "polyfills" that
add includes() and intersects() to the array prototype. We want to add them to
org.apache.ranger.plugin.util.RangerCommonConstants, so that the constants may
be added to SCRIPT_PREEXEC in
org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator.
{*}Business Use Case{*}: For example, is the business partner named in the
table's _partner_ column among those whose data the user has permission to see?
Currently in our row filter policy this must be expressed as:
{_}${{{}USER.partners{}}}.indexOf(partner) > -1{_}. It would be nice to
instead write _${{{}USER.partners{}}}.includes(partner)._
More significantly, we need to test for set intersection. For example, our
tables are tagged with the _partner_ tag, which has an attribute _value_ that
contains an array of partners whose data is included in the table.* If there
is no partner in common, ie no intersection, between the partner tag.value
array and the USER.partners array, the user should be denied access to the
table. Currently in our tag policy this is expressed as:
_var result = TAG.value.split(",").filter(function( n ) {_
_return USER.partners.indexOf( n ) > -1;_
_}); result.length != 0;_
We would much prefer this direct way to express intersection:
_TAG.value.split(",").intersects(USER.partners);_
_--_
{_}*{_}Actually, a comma-separated string of partners which we convert to an
array using split, since Ranger can't currently handle arrays as tag attributes.
was:
We have a need to do set inclusion and intersection checking in policy
conditions. Currently, array.includes() and array.intersects() are not
supported by the Nashorn engine. We have written javascript "polyfills" that
add includes() and intersects() to the array prototype. We want to add them to
org.apache.ranger.plugin.util.RangerCommonConstants, so that the constants may
be added to SCRIPT_PREEXEC in
org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator.
{*}Business Use Case{*}: For example, is the business partner named in the
table's _partner_ column among those whose data the user has permission to see?
Currently in our row filter policy this must be expressed as:
{_}${\{USER.partners}}.indexOf(partner) > -1{_}. It would be nice to instead
write _${\{USER.partners}}.includes(partner)._
More significantly, we need to test for set intersection. For example, our
tables are tagged with the _partner_ tag, which has an attribute _value_ that
contains an array of partners whose data is included in the table.* If there
is no partner in common, ie no intersection, between the partner tag.value
array and the USER.partners array, the user should be denied access to the
table. Currently in our tag policy this is expressed as:
_var result = TAG.value.split(",").filter(function(n) {_
_return USER.partners.indexOf(n) > -1;_
_}); result.length != 0;_
We would much prefer this direct way to express intersection:
_TAG.value.split(",").intersects(USER.partners);_
-----
{_}*{_}Actually, a comma-separated string of partners which we convert to an
array using split, since Ranger can't currently handle arrays as tag attributes.
> Add javascript includes(), intersects() polyfills for array prototype to
> RangerCommonConstants
> ----------------------------------------------------------------------------------------------
>
> Key: RANGER-3940
> URL: https://issues.apache.org/jira/browse/RANGER-3940
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: 3.0.0
> Reporter: Barbara Eckman
> Priority: Major
>
> We have a need to do set inclusion and intersection checking in policy
> conditions. Currently, array.includes() and array.intersects() are not
> supported by the Nashorn engine. We have written javascript "polyfills" that
> add includes() and intersects() to the array prototype. We want to add them
> to org.apache.ranger.plugin.util.RangerCommonConstants, so that the constants
> may be added to SCRIPT_PREEXEC in
> org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator.
> {*}Business Use Case{*}: For example, is the business partner named in the
> table's _partner_ column among those whose data the user has permission to
> see? Currently in our row filter policy this must be expressed as:
> {_}${{{}USER.partners{}}}.indexOf(partner) > -1{_}. It would be nice to
> instead write _${{{}USER.partners{}}}.includes(partner)._
> More significantly, we need to test for set intersection. For example, our
> tables are tagged with the _partner_ tag, which has an attribute _value_ that
> contains an array of partners whose data is included in the table.* If there
> is no partner in common, ie no intersection, between the partner tag.value
> array and the USER.partners array, the user should be denied access to the
> table. Currently in our tag policy this is expressed as:
> _var result = TAG.value.split(",").filter(function( n ) {_
> _return USER.partners.indexOf( n ) > -1;_
> _}); result.length != 0;_
> We would much prefer this direct way to express intersection:
> _TAG.value.split(",").intersects(USER.partners);_
> _--_
> {_}*{_}Actually, a comma-separated string of partners which we convert to an
> array using split, since Ranger can't currently handle arrays as tag
> attributes.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
