*Hello guys,*
I'm working on a project, where we'd like to manage policies on 2 different
tags.
We have 2 main tags which are "Business Line" & "Security Classification",
which lead to this kind of tagged resource :
- Legal - Secret
- HR - Unrestricted
The policies are Active Directory group-based, therefore I'd like people to
be authorized only if they're part of the right group, including
permissions on both tag.
ie : Only people from the group "Legal Secret" can access "Legal Secret",
if you're part of "Legal Unrestricted" or "HR Secret", you should be denied
access.
Here is an example of policy, I'd like to use the Context section to
enforce group policy :
*----{ "service": "Sandbox", "name": "BL_HR", "policyType": 0,
"description": "Read HR Data", "isAuditEnabled": true, "isEnabled": true,
"resources": { "tag": { "values": [ "BL_HR" ], "isExcludes": false,
"isRecursive": false } }, "policyItems": [ { "accesses": [ { "type":
"hdfs:read", "isAllowed": true }, { "type": "hive:select", "isAllowed":
true } ], "users": [], "groups": [ "hr-unrestricted", "hr-internal",
"hr-confidential", "hr-highly-confidential", "allseeingeyes",
"data-engineer", "data-scientist" ], "conditions": [], "delegateAdmin":
false }, { "accesses": [ { "type": "hdfs:write", "isAllowed": true }, {
"type": "hive:update", "isAllowed": true }, { "type": "hive:drop",
"isAllowed": true }, { "type": "hive:alter", "isAllowed": true }, { "type":
"hive:create", "isAllowed": true } ], "users": [], "groups": [
"allseeingeyes", "data-engineer", "data-scientist" ], "conditions": [],
"delegateAdmin": false }, { "accesses": [ { "type": "hdfs:execute",
"isAllowed": true }, ], "users": [], "groups": [ "hr-unrestricted",
"hr-internal", "hr-confidential", "hr-highly-confidential", ],
"conditions": [], "delegateAdmin": false } ], "denyPolicyItems": [ {
"accesses": [ { "type": "hdfs:read", "isAllowed": true }, { "type":
"hdfs:write", "isAllowed": true }, { "type": "hdfs:execute", "isAllowed":
true }, { "type": "hive:select", "isAllowed": true }, { "type":
"hive:update", "isAllowed": true }, { "type": "hive:drop", "isAllowed":
true }, { "type": "hive:alter", "isAllowed": true }, { "type":
"hive:create", "isAllowed": true } ], "users": [], "groups": [ "public" ],
"conditions": [ { "type": "expression", "values": [ "if
(ctx.getUserGroups().contains(\"hr\"))\n\tctx.result =
false;\nelse\n\tctx.result = true;" ] } ], "delegateAdmin": false }
]}----The context section is just here as an example, we didn't test it per
se.Is it possible to use Regex and operators (like OR and AND) in this
section ?We're on Ranger 0.7.0 and Atlas 0.8.0Thanks in advance for your
help !Cyrille*
--
♻ Be green, keep it on the screen
