[
https://issues.apache.org/jira/browse/RANGER-3940?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj reassigned RANGER-3940:
----------------------------------------
Fix Version/s: 3.0.0
2.4.0
Assignee: Eckman, Barbara
Resolution: Fixed
[~barbara] - thank you for suggesting this enhancement and the patch. The
patch is now merged in following branches:
master:
{noformat}
commit b9f3abffa55169331125afa0b4aeecbee41c8289 (HEAD -> master, origin/master,
origin/HEAD)
Author: Eckman, Barbara <[email protected]>
Date: Tue Oct 4 13:48:12 2022 -0400
RANGER-3940: updates to enable use of includes() and intersects() in
condition expressions
Signed-off-by: Madhan Neethiraj <[email protected]>
{noformat}
ranger-2.4:
{noformat}
commit b9254ce7f793ff2731f41e383e16b2e2cadbf4a5 (HEAD -> ranger-2.4,
origin/ranger-2.4)
Author: Eckman, Barbara <[email protected]>
Date: Tue Oct 4 13:48:12 2022 -0400
RANGER-3940: updates to enable use of includes() and intersects() in
condition expressions
Signed-off-by: Madhan Neethiraj <[email protected]>
(cherry picked from commit b9f3abffa55169331125afa0b4aeecbee41c8289)
{noformat}
> Add javascript includes(), intersects() polyfills for array prototype to
> RangerCommonConstants
> ----------------------------------------------------------------------------------------------
>
> Key: RANGER-3940
> URL: https://issues.apache.org/jira/browse/RANGER-3940
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: 3.0.0
> Reporter: Barbara Eckman
> Assignee: Eckman, Barbara
> Priority: Major
> Fix For: 3.0.0, 2.4.0
>
> Attachments:
> 0001-added-RangerCommonConstants-for-javascript-polyfills.patch
>
>
> We have a need to do set inclusion and intersection checking in policy
> conditions. Currently, array.includes() and array.intersects() are not
> supported by the Nashorn engine. We have written javascript "polyfills" that
> add includes() and intersects() to the array prototype. We want to add them
> to org.apache.ranger.plugin.util.RangerCommonConstants, so that the constants
> may be added to SCRIPT_PREEXEC in
> org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator.
> {*}Business Use Case{*}: For example, is the business partner named in the
> table's _partner_ column among those whose data the user has permission to
> see? Currently in our row filter policy this must be expressed as:
> {_}${{{}USER.partners{}}}.indexOf(partner) > -1{_}. It would be nice to
> instead write _${{{}USER.partners{}}}.includes(partner)._
> More significantly, we need to test for set intersection. For example, our
> tables are tagged with the _partner_ tag, which has an attribute _value_ that
> contains an array of partners whose data is included in the table.* If there
> is no partner in common, ie no intersection, between the partner tag.value
> array and the USER.partners array, the user should be denied access to the
> table. Currently in our tag policy this is expressed as:
> _var result = TAG.value.split(",").filter(function( n ) {_
> _return USER.partners.indexOf( n ) > -1;_
> _}); result.length != 0;_
> We would much prefer this direct way to express intersection:
> _TAG.value.split(",").intersects(USER.partners);_
> _--_
> {_}*{_}Actually, a comma-separated string of partners which we convert to an
> array using split, since Ranger can't currently handle arrays as tag
> attributes.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
