[
https://issues.apache.org/jira/browse/RANGER-4117?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-4117:
-------------------------------------
Description:
Ranger policies support condition expressions that enable users to setup
access-control/masking/row-filter based on various criteria including
user/group/tag attributes. To use such expressions in policies, service-defs
need to be updated to add following condition-def:
{code:java}
"conditions: [
{
"name": "expression",
"evaluator":
"org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
"label": "Enter boolean expression",
"description": "Boolean expression"
}
] {code}
Instead of requiring updates to every service-def, it will help to implicitly
include above in all service-def. However, it should be possible for a
service-def to opt out of this, via service-def option.
Implementation notes:
# while loading service-defs from the database, Ranger admin adds a condition
named _expression of type RangerScriptConditionEvaluator
# above implicit addition of condition can be disabled by adding following
configuration in Ranger admin:
{{ranger.servicedef.enableImplicitConditionExpression=false}}
# specific service-defs can be excluded from above implicit addition of
condition by adding following option in service-def:
{{enableImplicitConditionExpression=false}}
was:
Ranger policies support condition expressions that enable users to setup
access-control/masking/row-filter based on various criteria including
user/group/tag attributes. To use such expressions in policies, service-defs
need to be updated to add following condition-def:
{code:java}
"conditions: [
{
"name": "expression",
"evaluator":
"org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
"label": "Enter boolean expression",
"description": "Boolean expression"
}
] {code}
Instead of requiring updates to every service-def, it will help to implicitly
include above in all service-def. However, it should be possible for a
service-def to opt out of this, via service-def option.
> service-def option to include expression condition implictly
> ------------------------------------------------------------
>
> Key: RANGER-4117
> URL: https://issues.apache.org/jira/browse/RANGER-4117
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
> Fix For: 3.0.0, 2.4.0
>
> Attachments: RANGER-4117.patch
>
>
> Ranger policies support condition expressions that enable users to setup
> access-control/masking/row-filter based on various criteria including
> user/group/tag attributes. To use such expressions in policies, service-defs
> need to be updated to add following condition-def:
> {code:java}
> "conditions: [
> {
> "name": "expression",
> "evaluator":
> "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
> "label": "Enter boolean expression",
> "description": "Boolean expression"
> }
> ] {code}
>
> Instead of requiring updates to every service-def, it will help to implicitly
> include above in all service-def. However, it should be possible for a
> service-def to opt out of this, via service-def option.
>
> Implementation notes:
> # while loading service-defs from the database, Ranger admin adds a
> condition named _expression of type RangerScriptConditionEvaluator
> # above implicit addition of condition can be disabled by adding following
> configuration in Ranger admin:
> {{ranger.servicedef.enableImplicitConditionExpression=false}}
> # specific service-defs can be excluded from above implicit addition of
> condition by adding following option in service-def:
> {{enableImplicitConditionExpression=false}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
