[jira] [Created] (RANGER-4779) Policy Conditions don't work on mask policy tags

Fri, 19 Apr 2024 03:24:43 -0700 

Jonny Daenen created RANGER-4779:
------------------------------------

             Summary: Policy Conditions don't work on mask policy tags
                 Key: RANGER-4779
                 URL: https://issues.apache.org/jira/browse/RANGER-4779
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
    Affects Versions: 2.3.0
            Reporter: Jonny Daenen


When I try to add *policy conditions* to a {*}mask policy tag{*}, I cannot use 
built-in properties.

Example 1: only activate a mask whenever the user is part of a role/group:
{code:javascript}
IS_IN_GROUP('demo_masking')
{code}
{code:javascript}
_ctx.request.userGroups.indexOf('demo_masking') != -1
{code}
*Example 2: *deactivate the mask for a specific user, so that they can write to 
a Starburst table:
{code:javascript}
GET_USER_ATTR('name')=='some name' || GET_USER_ATTR('user name')=='some name' 
|| GET_USER_ATTR('User Name')=='some name' 
{code}
{code:javascript}
if(ctx.getUser().equals("some name")) ctx.result = false; 
{code}
*Problems encountered:*
 - It is unclear to me whether the functions/syntax I am using are correct (ctx 
vs _ctx, which functions/macros are allowed?)
 - it is unclear what is the preferred way of indication true/false: ctx.result 
vs an overall boolean statment
 - It is unclear how to debug this in a live system
 - It is unclear whether mask policy tags policy conditions are functioning 
correctly with Starburst/Trino
 - It is unclear from the code which part of macros en scripting is applicable 
to this specific case, making it difficult to understand what is allowed as 
script

*Proposed solutions:*
 - a clear indication in the documentation on the syntax of the policy 
conditions
 - a clear indication in the documentation on whether there are limits in mask 
policy tags
 - a clear indication in the documentation on whether there are limitations 
with mask policy tags in combination with e.g. Starburst/Trino
 - a working example of policy conditions, preferably several common scenarios

I might have overlooked parts of the documentation/code. If that is the case, 
any pointers in the right direction are much appreciated!

 

!image-2024-04-19-12-22-50-127.png|width=1458,height=750!

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to