[
https://issues.apache.org/jira/browse/RANGER-4392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mugdha Varadkar updated RANGER-4392:
------------------------------------
Attachment: 0001-RANGER-4392.patch
> Tag based policy with boolean expression is not working
> -------------------------------------------------------
>
> Key: RANGER-4392
> URL: https://issues.apache.org/jira/browse/RANGER-4392
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Mugdha Varadkar
> Assignee: Mugdha Varadkar
> Priority: Major
> Labels: ranger-react
> Attachments: 0001-RANGER-4392.patch
>
>
> h3. Reproduction
> h4. Precondition
> 1. Hive table with name "testtable1_polcond" exists with tag with attributes
> expire_date, and name. Expiry date is in the future, and name has value:
> "hivetag".
> 2. A ranger tag-based policy exists with "Accessed after expiry_date": no,
> and the following boolean expression:
> {code:java}
> ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");
> {code}
> providing access to user test_user
> h4. Test steps
> 1. As user test_user in beeline, execute:
> {code:java}
> select * from testdb1_polcond.testtable1_polcond;
> {code}
> h4. Expected behavior
> Query should be executed successfully as tag based policy provides access.
> h4. Actual behavior
> Permisson denied. In hive logs, the following is seen:
> {code:java}
> 2023-08-28 11:43:34,716 INFO org.apache.hadoop.hive.ql.Driver:
> [a95535bb-6daf-466b-9464-fe505f224a0b etp597410879-285]: Compiling command(q
> ueryId=hive_20230828114334_adddcc28-722b-48ae-b0c9-0662a1661435): select *
> from testdb1_polcond.testtable1_polcond
> ...
> 2023-08-28 11:43:34,944 ERROR
> org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator:
> [a95535bb-6daf-466b-9464-fe505f224a0b etp5
> 97410879-285]: RangerRequestScriptEvaluator.evaluateScript(): failed to
> evaluate script, exception=javax.script.ScriptException: org.graalvm
> .polyglot.PolyglotException: SyntaxError: <eval>:1:66 Expected , but found eof
> exit=null;quit=null;ctx.getAttributeValue("VALID_HIVETABLE_TAG_82"
> {code}
> Policy condition response :
> {code:java}
> curl -u 'admin:Admin123'
> 'https://quasar-leyqrl-1.quasar-leyqrl.root.hwx.site:6182/service/plugins/policies/102'
> \
> -H 'Accept: application/json, text/plain, \{*}/\{*}' \
> --insecure
> {code}
> In the resulting json, the value for the policy condition is the following:
> {code:java}
> "conditions": [
> {
> "type": "accessed-after-expiry",
> "values": [
> "no"
> ]
> },
> {
> "type": "expression",
> "values": [
> "ctx.getAttributeValue(\"VALID_HIVETABLE_TAG_82\"",
> "\"name\").equals(\"hivetag\");"
> ]
> }
> ],
> {code}
> It looks as if Ranger Admin would split the content of the "expression" field
> along the comma, and that's what leads to syntax error in hive logs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
