Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.3.0
-
None
-
None
Description
When I try to add policy conditions to a mask policy tag, I cannot use built-in properties.
Context: I want to manage access in Starburst based on tags
Example 1: only activate a mask whenever the user is part of a role/group:
IS_IN_GROUP('demo_masking')
_ctx.request.userGroups.indexOf('demo_masking') != -1
*Example 2: *deactivate the mask for a specific user, so that they can write to a Starburst table:
GET_USER_ATTR('name')=='some name' || GET_USER_ATTR('user name')=='some name' || GET_USER_ATTR('User Name')=='some name'
if(ctx.getUser().equals("some name")) ctx.result = false;
Problems encountered:
- It is unclear to me whether the functions/syntax I am using are correct (ctx vs _ctx, which functions/macros are allowed?)
- it is unclear what is the preferred way of indication true/false: ctx.result vs an overall boolean statment
- It is unclear how to debug this in a live system
- It is unclear whether mask policy tags policy conditions are functioning correctly with Starburst/Trino
- It is unclear from the code which part of macros en scripting is applicable to this specific case, making it difficult to understand what is allowed as script
Proposed solutions:
- a clear indication in the documentation on the syntax of the policy conditions
- a clear indication in the documentation on whether there are limits in mask policy tags
- a clear indication in the documentation on whether there are limitations with mask policy tags in combination with e.g. Starburst/Trino
- a working example of policy conditions, preferably several common scenarios
I might have overlooked parts of the documentation/code. If that is the case, any pointers in the right direction are much appreciated!
