bowenliang123 opened a new issue, #3217: URL: https://github.com/apache/incubator-kyuubi/issues/3217
### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) ### Search before asking - [X] I have searched in the [issues](https://github.com/apache/incubator-kyuubi/issues?q=is%3Aissue) and found no similar issues. ### Which parts of the documentation do you think need improvement? Support macros in Row-filter condition expression, introduced in Ranger 2.3 ([release notes](https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.3.0+-+Release+Notes)), is an major feature to significantly simplify the row-filter condition expression by replacing explicit condition query by using user/group's attributes in practices. - [RANGER-3605](https://issues.apache.org/jira/browse/RANGER-3605) : Support macros in row-filter/condition expressions - [RANGER-3550](https://issues.apache.org/jira/browse/RANGER-3550) : support for using user/tag attributes in row-filter expressions and conditions Consider user `liangtiancheng` with attribute `born_city` = `guangzhou`, we can define the row filter condition with `city='${{USER.born_city}}'` with macros. However, This feature implicit relies on an config named `ranger.plugin.spark.enable.implicit.userstore.enricher` and the default value `false` will prevent `RangerUserStoreEnricher` fetching user/group and their attributes. Macros in row-filter condition will fallback to null value (as lack of user attributes value in `UserStore` of auth context) in script transformation as unexpected. Improving doc of `ranger-spark-security.xml` to aware of this feature and related config. ### Affects Version(s) 1.6.0 ### Improving the documentation By adding the config suggestion here in AuthZ plugin docs of sample `ranger-spark-security.xml` in <https://github.com/apache/incubator-kyuubi/blob/master/docs/security/authorization/spark/install.md> ``` <property> <name>ranger.plugin.spark.enable.implicit.userstore.enricher</name> <value>true</value> <description>Enable UserStoreEnricher for fetching user and group attributes if using marcros or scripts in row-filters since Ranger 2.3</description> </property> ``` ### Anything else _No response_ ### Are you willing to submit PR? - [X] Yes I am willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
