[RANGER-3550] support for using user/tag attributes in row-filter expressions and conditions - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.0.0, 2.3.0
Component/s: plugins
Labels:
None

Description

Enhancing row-filtering (introduced in Ranger 0.6.0 - ~~RANGER-908~~) to enable use of user attributes in filter expressions can help address a wider set of use cases, including the following:

restrict users to see only records of the department they belong to:
```
dept = '${{USER.dept}}'
```

restrict users to see only records assigned to them:
```
assignee = '${{USER._name}}'
```

In addition, it will be useful to be able to refer user/tag attributes in condition expressions, as shown in following examples:

allow access only for full-time users:
```
USER.employeeType == 'full-time'
```

allow access only if VISIBILITY tag has attribute type set to public:
```
TAGS.VISIBILITY.level == 'public'
```

Attachments

Issue Links

relates to

RANGER-3567 support for use of user attributes in policy resources

Resolved

RANGER-3586 Script condition expression to support csv of group/tag attributes

Resolved

RANGER-3605 Support macros in row-filter/condition expressions

Resolved

RANGER-3609 option to add usergroup enricher automatically based on references in policies

Resolved

Activity

People

Assignee:: Madhan Neethiraj

Reporter:: Madhan Neethiraj

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Dec/21 21:30

Updated:: 15/Feb/22 22:03

Resolved:: 21/Dec/21 01:58