Hello, I'm implementing some custom plug-ins that have their own non-Atlas tag sources. In my authorisation model, a resource may have multiple tags assigned to it concurrently.
For example, If resource R has tags A and B assigned, then I would expect that a access request for resource R might consider resource policies matching R, and tag policies matching A and B. As I understand it, when I want to perform an authorisation request within a plugin implementation I will need to pass through a suitable RangerAccessRequest to the RangerBasePlugin instance. However, I'm unable to find a RangerAccessResource that allows me to specify multiple tags. The closest I can find is RangerTagResource that allows the specification of a single tag. How should I evaluate access requests for resources with multiple tags? My current assumption is that I must evaluate a request for each tag assigned to the accessed resource in turn and then logically AND them? However, this would seem to me to equate to additional, unencapsulated, and hidden policy evaluation logic. I would appreciate any insights that others have on this. Many thanks, Elliot.
