Hi Elliot
Are the tags in Ranger, if so, won’t it automatically take care of your use case? Bosco From: Elliot West <tea...@gmail.com> Reply-To: <user@ranger.apache.org> Date: Monday, January 4, 2021 at 1:16 AM To: <user@ranger.apache.org> Subject: Multi-tag policy evaluation Hello, I'm implementing some custom plug-ins that have their own non-Atlas tag sources. In my authorisation model, a resource may have multiple tags assigned to it concurrently. For example, If resource R has tags A and B assigned, then I would expect that a access request for resource R might consider resource policies matching R, and tag policies matching A and B. As I understand it, when I want to perform an authorisation request within a plugin implementation I will need to pass through a suitable RangerAccessRequest to the RangerBasePlugin instance. However, I'm unable to find a RangerAccessResource that allows me to specify multiple tags. The closest I can find is RangerTagResource that allows the specification of a single tag. How should I evaluate access requests for resources with multiple tags? My current assumption is that I must evaluate a request for each tag assigned to the accessed resource in turn and then logically AND them? However, this would seem to me to equate to additional, unencapsulated, and hidden policy evaluation logic. I would appreciate any insights that others have on this. Many thanks, Elliot.
