Hey Bosco, thank you for the reply. So are you suggesting that I can push the resource-tag mappings into Ranger, and then when performing a resource access request evaluation, Ranger will use this mapping to determine which tags are associated with the resource?
Elliot. On Mon, 4 Jan 2021 at 15:54, Don Bosco Durai <bo...@apache.org> wrote: > Hi Elliot > > > > Are the tags in Ranger, if so, won’t it automatically take care of your > use case? > > > > Bosco > > > > > > *From: *Elliot West <tea...@gmail.com> > *Reply-To: *<user@ranger.apache.org> > *Date: *Monday, January 4, 2021 at 1:16 AM > *To: *<user@ranger.apache.org> > *Subject: *Multi-tag policy evaluation > > > > Hello, > > > > I'm implementing some custom plug-ins that have their own non-Atlas tag > sources. In my authorisation model, a resource may have multiple tags > assigned to it concurrently. > > > > For example, If resource R has tags A and B assigned, then I would expect > that a access request for resource R might consider resource policies > matching R, and tag policies matching A and B. > > > > As I understand it, when I want to perform an authorisation request within > a plugin implementation I will need to pass through a suitable > RangerAccessRequest to the RangerBasePlugin instance. However, I'm unable > to find a RangerAccessResource that allows me to specify multiple tags. The > closest I can find is RangerTagResource that allows the specification of a > single tag. > > > > How should I evaluate access requests for resources with multiple tags? My > current assumption is that I must evaluate a request for each tag assigned > to the accessed resource in turn and then logically AND them? However, this > would seem to me to equate to additional, unencapsulated, and hidden policy > evaluation logic. > > > > I would appreciate any insights that others have on this. > > > > Many thanks, > > > > Elliot. >
