Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3605

Support macros in row-filter/condition expressions

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.0.0, 2.3.0
    • plugins
    • None

    Description

      Enhancements in RANGER-3550, RANGER-3567, RANGER-3586 enable use of user/group/tag attributes in row-filter/condition expressions. To make it easier to refer to these attributes, it will help to be able to use macros instead of method calls, as shown below:

      site in ( ${{GET_UG_ATTR_CSV('site')}} )

      instead of

      site in ( ${{ctx.ugAttrCsv('site')}} )

       

      Following macros will be supported with this enhancement:

      Macro Example Usage Example Evaluated Value
      GET_TAG_ATTR_CSV siteCode in (${{GET_TAG_ATTR_CSV('siteCode')}}) siteCode in (10,20)
      GET_TAG_ATTR_Q_CSV siteId in (${{GET_TAG_ATTR_Q_CSV('siteId')}}) siteId in ('site1','site2')
      GET_UG_ATTR_CSV groupId in (${{GET_UG_ATTR_CSV('groupId'))}} groupId in (10,20,30)
      GET_UG_ATTR_Q_CSV manager in (${{GET_UG_ATTR_Q_CSV('manager')}}) manager in ('jane','john','scott')
      TAG_ATTR_NAMES_Q_CSV attr_name in (${{TAG_ATTR_NAMES_Q_CSV}}) attr_name in ('siteId','siteCode')
      TAG_NAMES_Q_CSV tag_name in (${{TAG_NAMES_Q_CSV}}) tag_name in ('PII','PCI')
      UG_ATTR_NAMES_Q_CSV attr_name in (${{UG_ATTR_NAMES_Q_CSV}}) attr_name in ('groupId','manager')
      UG_NAMES_Q_CSV group_name in (${{UG_NAMES_Q_CSV}}) group_name in ('group1','group2')
      UR_NAMES_Q_CSV role_name in (${{UR_NAMES_Q_CSV}}) role_name in ('role1','role2')
      USER_ATTR_NAMES_Q_CSV attr_name in (${{USER_ATTR_NAMES_Q_CSV}}) attr_name in ('dept','state')

       

      In addition to above macros, user/group/tag attributes can be referenced in row-filter and policy resource-names with the expressions inside ${{ }} as shown below :

      Expressions Example Evaluated Value
      state == '${{USER.state}}' AND dept == '${{UG['group1'].dept'}} state == 'WA' AND dept == 'Sales'
      attr1 == '${{TAG.attr1'}} attr1 == 'PII_value'
      pii_type == '${{TAGS['PII']['type']'}} pii_type == 'email'
      s3://mybucket/users/${{USER._name}}/${{USER.state}}/test.txt s3://mybucket/users/test-user/WA/test.txt

       

       

      Attachments

        1. RANGER-3605.patch
          18 kB
          Madhan Neethiraj

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. RANGER-3550 support for using user/tag attributes in row-filter expressions and conditions

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. RANGER-3567 support for use of user attributes in policy resources

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. RANGER-3586 Script condition expression to support csv of group/tag attributes

          • Major - Major loss of function.
          • Resolved
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. RANGER-3609 option to add usergroup enricher automatically based on references in policies

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. RANGER-3764 conditions to support macros IS_IN_GROUP, IS_IN_ROLE, HAS_TAG

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link Patch in review board

          Activity

            People

              madhan Madhan Neethiraj
              madhan Madhan Neethiraj
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: