[
https://issues.apache.org/jira/browse/RANGER-4234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Barbara Eckman updated RANGER-4234:
-----------------------------------
Description:
RANGER-3940 created javascript polyfills to support set operations in policy
conditions and row filters via includes() and intersects(). Since Ranger
doesn't support arrays in tag or userStore attribute values, in order to do
these set operations we need to convert a delimited string into an array via
split(). This results in undesirably complex conditions, relatively hard to
maintain and error-prone.
I propose using the "[[...]]" syntax to indicate that an element is
semantically an array. I've written a java method to replace the double
brackets with the split() syntax before the script or row filter is executed.
If no delimiter is explicitly given, "," is assumed.
Examples:
|*As written in policy/row filter condition*|*As sent for evaluation*|
|[[USER[TAG._type],"f"]].intersects([[TAG.value]])|USER[TAG._type].split("f").intersects(TAG.value.split(","))|
|[["${\\\{USER.partners}}"]].includes(partner)|"${{{}USER.partners{}}}".split(",").includes(partner)|
was:
RANGER-3940 created javascript polyfills to support set operations in policy
conditions and row filters via includes() and intersects(). Since Ranger
doesn't support arrays in tag or userStore attribute values, in order to do
these set operations we need to convert a delimited string into an array via
split(). This results in undesirably complex conditions, relatively hard to
maintain and error-prone.
I propose using the "[[...]]" syntax to indicate that an element is
semantically an array. I've written a java method to replace the double
brackets with the split() syntax before the script or row filter is executed.
If no delimiter is explicitly given, "," is assumed.
Examples:
|*As written in policy/row filter condition*|*As sent for evaluation*|
|[[USER[TAG._type],"f"]].intersects([[TAG.value]])|USER[TAG._type].split("f").intersects(TAG.value.split(","))|
|[["${\\\{USER.partners}}"]].includes(partner)|"${{{}USER.partners{}}}".split(",").includes(partner)|
This method, String newstr replaceDoubleBrackets(String str) is called from
RangerRequestScriptEvaluator.evaluateScript(ScriptEngine scriptEngine, String
script, boolean enableJsonCtx)
and from RangerPolicy.RangerPolicyItemRowFilterInfo.setFilterExpr(String
filterExpr).
Here is the method:
{code:java}
Private String replaceDoubleBrackets(String str) {
String re =
"\\[\\[([}{\\$\"a-zA-Z0-9_.\\[\\]]+)(\\,['\\\"](.+)['\\\"])*\\]\\]";
/*
group(0) is the matched string
group(1) is what's inside the double brackets
group(2) is the optional ', "delimiter"' text
group(3) is the delimiter itself, if given
*/
Matcher m = Pattern.compile(re).matcher(str);
String r = "no match";
while (m.find()) {
String s0 = m.group(0);
String s1 = m.group(1);
String s2 = m.group(2);
String s3 = m.group(3);
String delim = s3 == null ? "," : s3;
if (log.isDebugEnabled()) {
log.debug("==> s0={} s1={} s2={} delim={}", s0, s1,s2, delim);
}
r = str.replace(s0, s1 + ".split(\"" + delim + "\")");
str = r;
}
return str;
}
{code}
> Eliminate need for splitting delimited strings into arrays in policy
> conditions
> -------------------------------------------------------------------------------
>
> Key: RANGER-4234
> URL: https://issues.apache.org/jira/browse/RANGER-4234
> Project: Ranger
> Issue Type: Improvement
> Components: plugins, Ranger
> Reporter: Barbara Eckman
> Assignee: Barbara Eckman
> Priority: Major
>
> RANGER-3940 created javascript polyfills to support set operations in policy
> conditions and row filters via includes() and intersects(). Since Ranger
> doesn't support arrays in tag or userStore attribute values, in order to do
> these set operations we need to convert a delimited string into an array via
> split(). This results in undesirably complex conditions, relatively hard to
> maintain and error-prone.
> I propose using the "[[...]]" syntax to indicate that an element is
> semantically an array. I've written a java method to replace the double
> brackets with the split() syntax before the script or row filter is executed.
> If no delimiter is explicitly given, "," is assumed.
> Examples:
> |*As written in policy/row filter condition*|*As sent for evaluation*|
> |[[USER[TAG._type],"f"]].intersects([[TAG.value]])|USER[TAG._type].split("f").intersects(TAG.value.split(","))|
> |[["${\\\{USER.partners}}"]].includes(partner)|"${{{}USER.partners{}}}".split(",").includes(partner)|
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
