[jira] [Created] (RANGER-4392) Tag based policy with boolean expression is not working

[Mugdha Varadkar (Jira)]

Mugdha Varadkar created RANGER-4392:
---------------------------------------

             Summary: Tag based policy with boolean expression is not working
                 Key: RANGER-4392
                 URL: https://issues.apache.org/jira/browse/RANGER-4392
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
            Reporter: Mugdha Varadkar
            Assignee: Mugdha Varadkar


h3. Reproduction
h4. Precondition

1. Hive table with name "testtable1_polcond" exists with tag with attributes 
expire_date, and name. Expiry date is in the future, and name has value: 
"hivetag".
2. A ranger tag-based policy exists with "Accessed after expiry_date": no, and 
the following boolean expression:
{code:java}
ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");
{code}
providing access to user test_user
h4. Test steps

1. As user test_user in beeline, execute:
{code:java}
select * from testdb1_polcond.testtable1_polcond;
{code}
h4. Expected behavior

Query should be executed successfully as tag based policy provides access.
h4. Actual behavior

Permisson denied. In hive logs, the following is seen:
{code:java}
2023-08-28 11:43:34,716 INFO  org.apache.hadoop.hive.ql.Driver: 
[a95535bb-6daf-466b-9464-fe505f224a0b etp597410879-285]: Compiling command(q
ueryId=hive_20230828114334_adddcc28-722b-48ae-b0c9-0662a1661435): select * from 
testdb1_polcond.testtable1_polcond

...

2023-08-28 11:43:34,944 ERROR 
org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator: 
[a95535bb-6daf-466b-9464-fe505f224a0b etp5
97410879-285]: RangerRequestScriptEvaluator.evaluateScript(): failed to 
evaluate script, exception=javax.script.ScriptException: org.graalvm
.polyglot.PolyglotException: SyntaxError: <eval>:1:66 Expected , but found eof
exit=null;quit=null;ctx.getAttributeValue("VALID_HIVETABLE_TAG_82"
{code}

Policy condition response :
{code:java}
curl -u 'admin:Admin123' 
'https://quasar-leyqrl-1.quasar-leyqrl.root.hwx.site:6182/service/plugins/policies/102'
 \
-H 'Accept: application/json, text/plain, \{*}/\{*}' \
--insecure
{code}
In the resulting json, the value for the policy condition is the following:
{code:java}
"conditions": [
                {
                    "type": "accessed-after-expiry",
                    "values": [
                        "no"
                    ]
                },
                {
                    "type": "expression",
                    "values": [
                        "ctx.getAttributeValue(\"VALID_HIVETABLE_TAG_82\"",
                        "\"name\").equals(\"hivetag\");"
                    ]
                }
            ],
{code}
It looks as if Ranger Admin would split the content of the "expression" field 
along the comma, and that's what leads to syntax error in hive logs.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)