[jira] [Commented] (RANGER-3997) option to use default value when user/group/tag does not have the attribute

[Himanshu Maurya (Jira)]

    [ 
https://issues.apache.org/jira/browse/RANGER-3997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17817846#comment-17817846
 ] 

Himanshu Maurya commented on RANGER-3997:
-----------------------------------------

Hi [~madhan], Thank you for your confirmation
I have created the issue :- RANGER-4719
I will feel happy to contribute on this

Thanks and Regards

> option to use default value when user/group/tag does not have the attribute
> ---------------------------------------------------------------------------
>
>                 Key: RANGER-3997
>                 URL: https://issues.apache.org/jira/browse/RANGER-3997
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>            Priority: Major
>             Fix For: 3.0.0, 2.4.0
>
>         Attachments: RANGER-3997.patch, Screenshot 2024-02-15 at 5.07.02 
> PM.png, Screenshot 2024-02-15 at 5.20.36 PM.png, Screenshot 2024-02-15 at 
> 5.27.54 PM.png
>
>
> Consider following row-filter expression that refers to a user attribute: 
> {code:java}
> dept = ${{USER.dept}}{code}
>  
> For this expression to evaluate correctly, all users who run query on the 
> table should have an attribute named dept. To handle users for whom this 
> attribute is not defined, an additional policy-item would be required, as 
> shown below:
> {noformat}
> 1. "condition": "!HAS_USER_ATTR('dept')", "filterExpr": "dept = -1"
>  
> 2. "filterExpr": "dept = ${{USER.dept}}"{noformat}
>  
> Ability to use a default value when the attribute doesn't exist will 
> eliminate the need for the additional policy item, like:
> {noformat}
>  "filterExpr": "dept = ${{GET_USER_ATTR('dept', -1)}}{noformat}
>  
> Added following macros to support optional default value:
>  
> ||Macro||With default value||Description||Example return value||
> |GET_TAG_NAMES()|GET_TAG_NAMES('none')|Names of tags associated with the
> resource, separated by a comma|PII,PCI|
> |GET_TAG_ATTR_NAMES()|GET_TAG_ATTR_NAMES('none')|Names of attributes in tags 
> associated
> with the resource, separated by a comma|piiType,score|
> |GET_TAG_ATTR('score')|GET_TAG_ATTR('score', 0)|Attribute value in tags 
> associated with the
> resource, separated by a comma|0|
> |GET_UG_NAMES()|GET_UG_NAMES('none')|Names of groups the user belongs to,
> separated by a comma|analyst,manager|
> |GET_UG_ATTR_NAMES()|GET_UG_ATTR_NAMES('none')|Names of all attributes in 
> groups the user
> belongs to, separated by a comma|dept,site|
> |GET_UG_ATTR('site')|GET_UG_ATTR('site', 'none')|Attribute value in groups 
> the user belongs
> to, separated by a comma|10,20|
> |GET_UR_NAMES()|GET_UR_NAMES('none')|Names of roles assigned to the user,
> separated by a comma|data-steward,admin|
> |GET_USER_ATTR_NAMES()|GET_USER_ATTR_NAMES('none')|Names of all attributes of 
> the user,
> separated by a comma|name,email|
> |GET_USER_ATTR('email')|GET_USER_ATTR('email', 'none')|Value of user 
> attribute|n...@domain.com|
>  
> For each macro listed above, there is another version with *_Q* added to the 
> name, like:
> {code:java}
> GET_TAG_NAMES_Q(){code}
>  These macros would quote each value, like:
> {code:java}
> 'PII','PCI'{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)