[
https://issues.apache.org/jira/browse/RANGER-4184?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Subhrat Chaudhary updated RANGER-4184:
--------------------------------------
Description:
When an ABAC expression e.g. HAS_TAG('PII') is added to policy condition at
policy level, expected ResourceACLs are not returned.
Steps to reproduce:
* Create following tags for Hive:
** PII: database=testdb, table=employee, columns=name.dept
** PII_NAME: database=testdb, table=employee, columns=name
* Create a tag based policy:
** TAGS: PII
** Policy condition at policy level: HAS_TAG('PII_NAME')
* Allow policy item:
** User: joe
** Component: Hive, Permissions: Select
For both of the following resource definition in the request sent:
*
{code:java}
{ownerUser={devtest} elements={database=testdb; column=name; table=employee; }
}{code}
*
{code:java}
{ownerUser={devtest} elements={database=testdb; column=dept; table=employee; }
}{code}
Expected is the access result value in the received ACL should be
CONDITIONAL_ALLOWED.
The ResourceACL received is as below:
{code:java}
{UserACLs={user=joe:permissions={{Permission=Select, value=ALLOWED,
final=true},{RangerPolicyID=123},},}, GroupACLs={}, RoleACLs={}, rowFilters=[],
dataMasks=[]}, rowFilters=[], dataMasks=[]{code}
was:
When an ABAC expression e.g. HAS_TAG('PII') is added to policy condition at
policy level, expected ResourceACLs are not returned.
Steps to reproduce:
* Create following tags for Hive:
** PII: database=testdb, table=employee, columns=name.dept
** PII_NAME: database=testdb, table=employee, columns=name
* Create a tag based policy:
** TAGS: PII
** Policy condition at policy level: HAS_TAG('PII_NAME')
* Allow policy item:
** User: joe
** Component: Hive, Permissions: Select
For both of the following resource definition in the request sent:
*
{code:java}
{ownerUser={devtest} elements={database=testdb; column=name; table=employee; }
}{code}
*
{code:java}
{ownerUser={devtest} elements={database=testdb; column=dept; table=employee; }
}{code}
The ResourceACL received is as below:
{code:java}
{UserACLs={user=joe:permissions={{Permission=Select, value=ALLOWED,
final=true},{RangerPolicyID=123},},}, GroupACLs={}, RoleACLs={}, rowFilters=[],
dataMasks=[]}, rowFilters=[], dataMasks=[]{code}
> ABAC Expression in policy condition at policy level does not return expected
> ResourceACL
> ----------------------------------------------------------------------------------------
>
> Key: RANGER-4184
> URL: https://issues.apache.org/jira/browse/RANGER-4184
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Subhrat Chaudhary
> Assignee: Subhrat Chaudhary
> Priority: Major
>
> When an ABAC expression e.g. HAS_TAG('PII') is added to policy condition at
> policy level, expected ResourceACLs are not returned.
>
> Steps to reproduce:
> * Create following tags for Hive:
> ** PII: database=testdb, table=employee, columns=name.dept
> ** PII_NAME: database=testdb, table=employee, columns=name
> * Create a tag based policy:
> ** TAGS: PII
> ** Policy condition at policy level: HAS_TAG('PII_NAME')
> * Allow policy item:
> ** User: joe
> ** Component: Hive, Permissions: Select
> For both of the following resource definition in the request sent:
> *
> {code:java}
> {ownerUser={devtest} elements={database=testdb; column=name; table=employee;
> } }{code}
> *
> {code:java}
> {ownerUser={devtest} elements={database=testdb; column=dept; table=employee;
> } }{code}
> Expected is the access result value in the received ACL should be
> CONDITIONAL_ALLOWED.
> The ResourceACL received is as below:
> {code:java}
> {UserACLs={user=joe:permissions={{Permission=Select, value=ALLOWED,
> final=true},{RangerPolicyID=123},},}, GroupACLs={}, RoleACLs={},
> rowFilters=[], dataMasks=[]}, rowFilters=[], dataMasks=[]{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
