Description
It will be useful to be able to specify policy resources using user attributes - like
- path=/data/${{USER.dept}}/*
- matches path /data/sales for users with attribute dept=sales
- matches path /data/mktg for user with attribute dept=mktg
- database=test_${{USER.dept}}, table=${{USER._name}}
- matches database test_sales and table scot for user scot with attribute dept=sales
- matches database test_mktg and table emily for user emily with attribute dept=mktg
Note that Ranger already supports tokens in policy resources - like
- database=test_{USER}
- database=test_{OWNER}
- path=/data/sales/{FILENAME}
Policy resources should be able to include these tokens, in addition to references to user attributes - like:
- database=test_${{USER.dept}}_{USER}
- path=/data/${{USER.dept}}/users/{USER}
When a policy resource has both user-attribute expressions and tokens, Ranger policy engine should perform the following in the given order:
- replace user-attribute expressions with its value
example: test_${{USER.dept}}{USER} will be replaced with test_sales{USER} - then replace token
example: test_sales_{USER} will be replaced with test_sales_user1
A special case to note: when the value user-attribute expression evaluates to contains token(s), for example to user_{USER}, this token will also be replaced by step #2 above.
Attachments
Attachments
Issue Links
- is related to
-
RANGER-3550 support for using user/tag attributes in row-filter expressions and conditions
- Resolved
- relates to
-
RANGER-3586 Script condition expression to support csv of group/tag attributes
- Resolved
-
RANGER-3605 Support macros in row-filter/condition expressions
- Resolved
-
RANGER-3609 option to add usergroup enricher automatically based on references in policies
- Resolved