Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3567

support for use of user attributes in policy resources

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.0.0, 2.3.0
    • plugins
    • None

    Description

      It will be useful to be able to specify policy resources using user attributes - like

      • path=/data/${{USER.dept}}/*
        • matches path /data/sales for users with attribute dept=sales
        • matches path /data/mktg for user with attribute dept=mktg
      • database=test_${{USER.dept}}, table=${{USER._name}}
        • matches database test_sales and table scot for user scot with attribute dept=sales
        • matches database test_mktg and table emily for user emily with attribute dept=mktg

       

      Note that Ranger already supports tokens in policy resources - like

      • database=test_{USER}
      • database=test_{OWNER}
      • path=/data/sales/{FILENAME}

      Policy resources should be able to include these tokens, in addition to references to user attributes - like:

      • database=test_${{USER.dept}}_{USER}
      • path=/data/${{USER.dept}}/users/{USER}

       

      When a policy resource has both user-attribute expressions and tokens, Ranger policy engine should perform the following in the given order:

      1. replace user-attribute expressions with its value
        example:  test_${{USER.dept}}{USER} will be replaced with  test_sales{USER}
      2. then replace token
        example:  test_sales_{USER} will be replaced with test_sales_user1

      A special case to note: when the value user-attribute expression evaluates to contains token(s), for example to user_{USER}, this token will also be replaced by step #2 above. 

      Attachments

        1. RANGER-3567.patch
          39 kB
          Madhan Neethiraj

        Issue Links

          Activity

            People

              madhan Madhan Neethiraj
              madhan Madhan Neethiraj
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: