> On Dec. 11, 2023, 6 p.m., Barbara Eckman wrote:
> > This is a great idea! It's very useful to have all dynamic expressions in
> > one place!
> >
> > One example is incorrect, though: "data_source in
> > (${{USER.allowedSources}})". The problem is that IN requires an array on
> > the RHS, but (${{USER.allowedSources}}) evaluates to "(source1, source2)."
> > Using GET_USER_ATTR_Q just adds quotes around yields "source1, source2",
> > but it doesn't create an array. A split is needed, or the notation
> > [[USER.allowedSources]], a la RANGER-2434.
>
> Barbara Eckman wrote:
> My preferred method of addressing this would be changing the type of the
> UserStore from Map<String, Map<String, String>> to Map<String, Map<String,
> ArrayList<String>> or some such. Apache Atlas handles array-valued
> attributes of tags. It would be great if Ranger handled arrays too!
>
> Madhan Neethiraj wrote:
> @Barbara - good point! I will add a note in the blog that the expression
> should evaluate to a valid value for the context. In this example,
> data_source is a numeric column with USER.allowedSources having list of
> numbers separated by a comma - like 10,11,18.
>
> Let's look for an easier way to handle the use case you raised. How about
> this?: data_source in (QUOTED_CSV(USER.allowedSources))
>
> Barbara Eckman wrote:
> I tried QUOTED_CSV() but got this error:
> ERROR [main] (RangerRequestScriptEvaluator.java:264) -
> RangerRequestScriptEvaluator.evaluateScript(): failed to evaluate script
> javax.script.ScriptException: ReferenceError: "QUOTED_CSV" is not defined
> in <eval> at line number 1
>
> Barbara Eckman wrote:
> Maybe i didn't understand your comment, but I tried the following:
> USER.EventType = "10,20,30"
> condition: 10 in (USER.EventType)
> Error message:
> ERROR [main] (RangerRequestScriptEvaluator.java:264) -
> RangerRequestScriptEvaluator.evaluateScript(): failed to evaluate script
> javax.script.ScriptException: TypeError: Right hand side of "in" cannot
> be non-Object, found string in <eval> at line number 1
>
> Am I missing something?
>
> Madhan Neethiraj wrote:
> Barbara - the example row-filter expression (given below) would be
> evaluated by Ranger policy engine to "data_source in (10,11,16)", which would
> then be executed in a SQL engine.
> data_source in (${{USER.allowedSources}})
>
> Also, reference to QUOTED_CSV() in my earlier comment was about an
> enhancement TBD. Ranger community will continue to review and enhance to
> support more use cases.
>
> In your use case here, user attribute EventType is a
> comma-separated-value string. This needs to be parsed into an array/list
> before checking if a value exists is present. Perhaps we should look into
> adding PARSE_CSV() method? Then the condition can be written as:
> PARSE_CSV(USER.EventType).includes(10)
Hi Madhan,
Sorry for the confusion, I should have realized that in a row filter the syntax
will be of the underlying engine.
You said:
"In your use case here, user attribute EventType is a comma-separated-value
string. This needs to be parsed into an array/list before checking if a value
exists is present. Perhaps we should look into adding PARSE_CSV() method? Then
the condition can be written as:
PARSE_CSV(USER.EventType).includes(10)"
This is PRECISELY the use case for RANGER-2434: eliminate the need for
"split"-ing delimited strings into arrays by using the notation [[
<string>,'<optional delimiter>']]. Personally, I prefer this notation to
something referring to "comma-separated values" and then taking a different
delimiter as a param.:-). It does seems to work in row filters as well as other
policy conditions, but I admit I haven't tried it with hive.
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74778/#review226035
-----------------------------------------------------------
On Dec. 11, 2023, 2:16 a.m., Madhan Neethiraj wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74778/
> -----------------------------------------------------------
>
> (Updated Dec. 11, 2023, 2:16 a.m.)
>
>
> Review request for ranger, Anand Nadar, Ankita Sinha, Abhay Kulkarni, Monika
> Kachhadiya, Ramesh Mani, Sailaja Polavarapu, Subhrat Chaudhary, and
> Velmurugan Periasamy.
>
>
> Bugs: RANGER-4587
> https://issues.apache.org/jira/browse/RANGER-4587
>
>
> Repository: ranger
>
>
> Description
> -------
>
> added blog with details of using dynamic expressions in Apache Ranger policies
>
>
> Diffs
> -----
>
> docs/src/site/resources/blogs/dynamic_expressions.html PRE-CREATION
> docs/src/site/xdoc/blogs.xml 2f81ef7c4
>
>
> Diff: https://reviews.apache.org/r/74778/diff/1/
>
>
> Testing
> -------
>
> - built and ran updated docs with mvn site:run
> - verified that the new blog is seen in the blog list
> - verified that the new blog renders correctly in browser
>
>
> File Attachments
> ----------------
>
> Apache Ranger - dynamic expressions.pdf
>
> https://reviews.apache.org/media/uploaded/files/2023/12/11/a8d4e7f9-5ec7-4527-9d3c-245c15f49573__Apache_Ranger_-_dynamic_expressions.pdf
>
>
> Thanks,
>
> Madhan Neethiraj
>
>
