[ https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pradeep Agrawal updated RANGER-3839: ------------------------------------ Labels: Trino (was: ) > Ranger Tag based policy with ability to show metadata for covered resource > -------------------------------------------------------------------------- > > Key: RANGER-3839 > URL: https://issues.apache.org/jira/browse/RANGER-3839 > Project: Ranger > Issue Type: Bug > Components: plugins > Reporter: Ramesh Bhanan Byndoor > Priority: Major > Labels: Trino > Fix For: 2.3.0 > > Attachments: resourceTags.json, test_ancestor_meta.json > > > Have a use case around this for Trino where user should be able to see > allowed parents along with child table > > For below case from here > [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266] > > Resource > > {code:java} > { > "serviceName": "cl1_hive", > "resourceElements": { > "database": { > "values": ["employee"] > }, > "table": { > "values": ["personal"] > }, > "column": { > "values": ["city"] > } > }, > "id": 3, > "guid": "employee.personal.city-guid" > } > {code} > Policy > {code:java} > { > "id": 1, > "name": "RESTRICTED_TAG_POLICY", > "isEnabled": true, > "isAuditEnabled": true, > "resources": { > "tag": { > "values": ["RESTRICTED"], > "isRecursive": false > } > }, > "policyItems": [{ > "accesses": [{ > "type": "hive:select", > "isAllowed": true > }], > "users": ["hive", "user1"], > "groups": [], > "delegateAdmin": false, > "conditions": [{ > "type": "expression", > "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"] > }] > }] > }{code} > The test below is working as expected > {code:java} > { > "name": "ALLOW 'select city from employee.personal;' for user1 using > RESTRICTED tag", > "request": { > "resource": { > "elements": { > "database": "employee", > "table": "personal", > "column": "city" > } > }, > "accessType": "select", > "user": "user1", > "userGroups": [], > "requestData": "select city from employee.personal;' for user1" > }, > "result": { > "isAudited": true, > "isAllowed": true, > "policyId": 101 > } > }{code} > The expectation is how to allow? (without {color:#ff0000}allowing access to > anything apart from this{color}) > {*}show databases{*};— with results *employee* > *use employee;* > *show tables; –* with results *personal* > > Please suggest possible ways to solve this/policy creation. > ===================================================================================================== > > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)