[
https://issues.apache.org/jira/browse/RANGER-3997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Himanshu Maurya updated RANGER-3997:
------------------------------------
Attachment: Screenshot 2024-02-15 at 5.27.54 PM.png
Screenshot 2024-02-15 at 5.20.36 PM.png
Screenshot 2024-02-15 at 5.07.02 PM.png
> option to use default value when user/group/tag does not have the attribute
> ---------------------------------------------------------------------------
>
> Key: RANGER-3997
> URL: https://issues.apache.org/jira/browse/RANGER-3997
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
> Fix For: 3.0.0, 2.4.0
>
> Attachments: RANGER-3997.patch, Screenshot 2024-02-15 at 5.07.02
> PM.png, Screenshot 2024-02-15 at 5.20.36 PM.png, Screenshot 2024-02-15 at
> 5.27.54 PM.png
>
>
> Consider following row-filter expression that refers to a user attribute:
> {code:java}
> dept = ${{USER.dept}}{code}
>
> For this expression to evaluate correctly, all users who run query on the
> table should have an attribute named dept. To handle users for whom this
> attribute is not defined, an additional policy-item would be required, as
> shown below:
> {noformat}
> 1. "condition": "!HAS_USER_ATTR('dept')", "filterExpr": "dept = -1"
>
> 2. "filterExpr": "dept = ${{USER.dept}}"{noformat}
>
> Ability to use a default value when the attribute doesn't exist will
> eliminate the need for the additional policy item, like:
> {noformat}
> "filterExpr": "dept = ${{GET_USER_ATTR('dept', -1)}}{noformat}
>
> Added following macros to support optional default value:
>
> ||Macro||With default value||Description||Example return value||
> |GET_TAG_NAMES()|GET_TAG_NAMES('none')|Names of tags associated with the
> resource, separated by a comma|PII,PCI|
> |GET_TAG_ATTR_NAMES()|GET_TAG_ATTR_NAMES('none')|Names of attributes in tags
> associated
> with the resource, separated by a comma|piiType,score|
> |GET_TAG_ATTR('score')|GET_TAG_ATTR('score', 0)|Attribute value in tags
> associated with the
> resource, separated by a comma|0|
> |GET_UG_NAMES()|GET_UG_NAMES('none')|Names of groups the user belongs to,
> separated by a comma|analyst,manager|
> |GET_UG_ATTR_NAMES()|GET_UG_ATTR_NAMES('none')|Names of all attributes in
> groups the user
> belongs to, separated by a comma|dept,site|
> |GET_UG_ATTR('site')|GET_UG_ATTR('site', 'none')|Attribute value in groups
> the user belongs
> to, separated by a comma|10,20|
> |GET_UR_NAMES()|GET_UR_NAMES('none')|Names of roles assigned to the user,
> separated by a comma|data-steward,admin|
> |GET_USER_ATTR_NAMES()|GET_USER_ATTR_NAMES('none')|Names of all attributes of
> the user,
> separated by a comma|name,email|
> |GET_USER_ATTR('email')|GET_USER_ATTR('email', 'none')|Value of user
> attribute|[email protected]|
>
> For each macro listed above, there is another version with *_Q* added to the
> name, like:
> {code:java}
> GET_TAG_NAMES_Q(){code}
> These macros would quote each value, like:
> {code:java}
> 'PII','PCI'{code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
