Review Request 74581: RANGER-4392: Tag based policy with boolean expression is not working

Tue, 05 Sep 2023 01:50:53 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74581/
-----------------------------------------------------------

Review request for ranger, Brijesh Bhalala, Dhaval Rajpara, Mehul Parikh, and 
Nikunj Pansuriya.


Bugs: RANGER-4392
    https://issues.apache.org/jira/browse/RANGER-4392


Repository: ranger


Description
-------

Steps to reproduce : 

Precondition

1. Hive table with name "testtable1_polcond" exists with tag with attributes 
expire_date, and name. Expiry date is in the future, and name has value: 
"hivetag".
2. A ranger tag-based policy exists with "Accessed after expiry_date": no, and 
the following boolean expression:

ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");

providing access to user test_user

Test steps

1. As user test_user in beeline, execute:

select * from testdb1_polcond.testtable1_polcond;

Expected behavior: Query should be executed successfully as tag based policy 
provides access.

Actual behavior : Permisson denied. In hive logs, the following is seen:

2023-08-28 11:43:34,716 INFO  org.apache.hadoop.hive.ql.Driver: 
[a95535bb-6daf-466b-9464-fe505f224a0b etp597410879-285]: Compiling command(q
ueryId=hive_20230828114334_adddcc28-722b-48ae-b0c9-0662a1661435): select * from 
testdb1_polcond.testtable1_polcond


2023-08-28 11:43:34,944 ERROR 
org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator: 
[a95535bb-6daf-466b-9464-fe505f224a0b etp5
97410879-285]: RangerRequestScriptEvaluator.evaluateScript(): failed to 
evaluate script, exception=javax.script.ScriptException: org.graalvm
.polyglot.PolyglotException: SyntaxError: <eval>:1:66 Expected , but found eof
exit=null;quit=null;ctx.getAttributeValue("VALID_HIVETABLE_TAG_82"


Policy condition response :
curl -u 'admin:Admin123' 
'https://test-leyqrl-1.test-leyqrl.root.hwx.site:6182/service/plugins/policies/102'
 \
-H 'Accept: application/json, text/plain, {*}/{*}' \
--insecure

In the resulting json, the value for the policy condition is the following:
"conditions": [
                {
                    "type": "accessed-after-expiry",
                    "values": [
                        "no"
                    ]
                },
                {
                    "type": "expression",
                    "values": [
                        "ctx.getAttributeValue(\"VALID_HIVETABLE_TAG_82\"",
                        "\"name\").equals(\"hivetag\");"
                    ]
                }
            ],

It looks as if Ranger Admin would split the content of the "expression" field 
along the comma, and that's what leads to syntax error in hive logs.


Diffs
-----

  security-admin/src/main/webapp/react-webapp/src/components/Editable.jsx 
75f7fcff1199345df593ed97c5b7cf0beebd3aca 
  
security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/AddUpdatePolicyForm.jsx
 51df2e378a7415936317c6463b4413293e0a9c4c 
  
security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/PolicyConditionsComp.jsx
 32d80280984e550027c34c41bda46fda7d5bf07f 


Diff: https://reviews.apache.org/r/74581/diff/1/


Testing
-------

Tested changes on a cluster setup with Ranger Admin build with React JS code 
base.

Verified below policy condition getting saved correctly from Ranger Admin UI.
```
ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");
```


Successful completion of build command :
mvn clean compile package -Psecurity-admin-react


Thanks,

Mugdha Varadkar

Reply via email to