[
https://issues.apache.org/jira/browse/RANGER-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jonny Daenen updated RANGER-4779:
---------------------------------
Description:
When I try to add *policy conditions* to a {*}mask policy tag{*}, I cannot use
built-in properties.
Context: I want to manage access in Starburst based on tags
Example 1: only activate a mask whenever the user is part of a role/group:
{code:javascript}
IS_IN_GROUP('demo_masking')
{code}
{code:javascript}
_ctx.request.userGroups.indexOf('demo_masking') != -1
{code}
*Example 2: *deactivate the mask for a specific user, so that they can write to
a Starburst table:
{code:javascript}
GET_USER_ATTR('name')=='some name' || GET_USER_ATTR('user name')=='some name'
|| GET_USER_ATTR('User Name')=='some name'
{code}
{code:javascript}
if(ctx.getUser().equals("some name")) ctx.result = false;
{code}
*Problems encountered:*
- It is unclear to me whether the functions/syntax I am using are correct (ctx
vs _ctx, which functions/macros are allowed?)
- it is unclear what is the preferred way of indication true/false: ctx.result
vs an overall boolean statment
- It is unclear how to debug this in a live system
- It is unclear whether mask policy tags policy conditions are functioning
correctly with Starburst/Trino
- It is unclear from the code which part of macros en scripting is applicable
to this specific case, making it difficult to understand what is allowed as
script
*Proposed solutions:*
- a clear indication in the documentation on the syntax of the policy
conditions
- a clear indication in the documentation on whether there are limits in mask
policy tags
- a clear indication in the documentation on whether there are limitations
with mask policy tags in combination with e.g. Starburst/Trino
- a working example of policy conditions, preferably several common scenarios
I might have overlooked parts of the documentation/code. If that is the case,
any pointers in the right direction are much appreciated!
!image-2024-04-19-12-25-04-879.png!
was:
When I try to add *policy conditions* to a {*}mask policy tag{*}, I cannot use
built-in properties.
Example 1: only activate a mask whenever the user is part of a role/group:
{code:javascript}
IS_IN_GROUP('demo_masking')
{code}
{code:javascript}
_ctx.request.userGroups.indexOf('demo_masking') != -1
{code}
*Example 2: *deactivate the mask for a specific user, so that they can write to
a Starburst table:
{code:javascript}
GET_USER_ATTR('name')=='some name' || GET_USER_ATTR('user name')=='some name'
|| GET_USER_ATTR('User Name')=='some name'
{code}
{code:javascript}
if(ctx.getUser().equals("some name")) ctx.result = false;
{code}
*Problems encountered:*
- It is unclear to me whether the functions/syntax I am using are correct (ctx
vs _ctx, which functions/macros are allowed?)
- it is unclear what is the preferred way of indication true/false: ctx.result
vs an overall boolean statment
- It is unclear how to debug this in a live system
- It is unclear whether mask policy tags policy conditions are functioning
correctly with Starburst/Trino
- It is unclear from the code which part of macros en scripting is applicable
to this specific case, making it difficult to understand what is allowed as
script
*Proposed solutions:*
- a clear indication in the documentation on the syntax of the policy
conditions
- a clear indication in the documentation on whether there are limits in mask
policy tags
- a clear indication in the documentation on whether there are limitations
with mask policy tags in combination with e.g. Starburst/Trino
- a working example of policy conditions, preferably several common scenarios
I might have overlooked parts of the documentation/code. If that is the case,
any pointers in the right direction are much appreciated!
!image-2024-04-19-12-22-50-127.png|width=1458,height=750!
> Policy Conditions don't work on mask policy tags
> ------------------------------------------------
>
> Key: RANGER-4779
> URL: https://issues.apache.org/jira/browse/RANGER-4779
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 2.3.0
> Reporter: Jonny Daenen
> Priority: Major
> Attachments: ranger_issue.png
>
>
> When I try to add *policy conditions* to a {*}mask policy tag{*}, I cannot
> use built-in properties.
> Context: I want to manage access in Starburst based on tags
> Example 1: only activate a mask whenever the user is part of a role/group:
> {code:javascript}
> IS_IN_GROUP('demo_masking')
> {code}
> {code:javascript}
> _ctx.request.userGroups.indexOf('demo_masking') != -1
> {code}
> *Example 2: *deactivate the mask for a specific user, so that they can write
> to a Starburst table:
> {code:javascript}
> GET_USER_ATTR('name')=='some name' || GET_USER_ATTR('user name')=='some name'
> || GET_USER_ATTR('User Name')=='some name'
> {code}
> {code:javascript}
> if(ctx.getUser().equals("some name")) ctx.result = false;
> {code}
> *Problems encountered:*
> - It is unclear to me whether the functions/syntax I am using are correct
> (ctx vs _ctx, which functions/macros are allowed?)
> - it is unclear what is the preferred way of indication true/false:
> ctx.result vs an overall boolean statment
> - It is unclear how to debug this in a live system
> - It is unclear whether mask policy tags policy conditions are functioning
> correctly with Starburst/Trino
> - It is unclear from the code which part of macros en scripting is
> applicable to this specific case, making it difficult to understand what is
> allowed as script
> *Proposed solutions:*
> - a clear indication in the documentation on the syntax of the policy
> conditions
> - a clear indication in the documentation on whether there are limits in
> mask policy tags
> - a clear indication in the documentation on whether there are limitations
> with mask policy tags in combination with e.g. Starburst/Trino
> - a working example of policy conditions, preferably several common scenarios
> I might have overlooked parts of the documentation/code. If that is the case,
> any pointers in the right direction are much appreciated!
>
> !image-2024-04-19-12-25-04-879.png!
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
