Description
Enhancements in RANGER-3550, RANGER-3567, RANGER-3586 enable use of user/group/tag attributes in row-filter/condition expressions. To make it easier to refer to these attributes, it will help to be able to use macros instead of method calls, as shown below:
site in ( ${{GET_UG_ATTR_CSV('site')}} )
instead of
site in ( ${{ctx.ugAttrCsv('site')}} )
Following macros will be supported with this enhancement:
Macro | Example Usage | Example Evaluated Value |
---|---|---|
GET_TAG_ATTR_CSV | siteCode in (${{GET_TAG_ATTR_CSV('siteCode')}}) | siteCode in (10,20) |
GET_TAG_ATTR_Q_CSV | siteId in (${{GET_TAG_ATTR_Q_CSV('siteId')}}) | siteId in ('site1','site2') |
GET_UG_ATTR_CSV | groupId in (${{GET_UG_ATTR_CSV('groupId'))}} | groupId in (10,20,30) |
GET_UG_ATTR_Q_CSV | manager in (${{GET_UG_ATTR_Q_CSV('manager')}}) | manager in ('jane','john','scott') |
TAG_ATTR_NAMES_Q_CSV | attr_name in (${{TAG_ATTR_NAMES_Q_CSV}}) | attr_name in ('siteId','siteCode') |
TAG_NAMES_Q_CSV | tag_name in (${{TAG_NAMES_Q_CSV}}) | tag_name in ('PII','PCI') |
UG_ATTR_NAMES_Q_CSV | attr_name in (${{UG_ATTR_NAMES_Q_CSV}}) | attr_name in ('groupId','manager') |
UG_NAMES_Q_CSV | group_name in (${{UG_NAMES_Q_CSV}}) | group_name in ('group1','group2') |
UR_NAMES_Q_CSV | role_name in (${{UR_NAMES_Q_CSV}}) | role_name in ('role1','role2') |
USER_ATTR_NAMES_Q_CSV | attr_name in (${{USER_ATTR_NAMES_Q_CSV}}) | attr_name in ('dept','state') |
In addition to above macros, user/group/tag attributes can be referenced in row-filter and policy resource-names with the expressions inside ${{ }} as shown below :
Expressions | Example Evaluated Value |
---|---|
state == '${{USER.state}}' AND dept == '${{UG['group1'].dept'}} | state == 'WA' AND dept == 'Sales' |
attr1 == '${{TAG.attr1'}} | attr1 == 'PII_value' |
pii_type == '${{TAGS['PII']['type']'}} | pii_type == 'email' |
s3://mybucket/users/${{USER._name}}/${{USER.state}}/test.txt | s3://mybucket/users/test-user/WA/test.txt |
Attachments
Attachments
Issue Links
- is related to
-
RANGER-3550 support for using user/tag attributes in row-filter expressions and conditions
- Resolved
-
RANGER-3567 support for use of user attributes in policy resources
- Resolved
-
RANGER-3586 Script condition expression to support csv of group/tag attributes
- Resolved
- relates to
-
RANGER-3609 option to add usergroup enricher automatically based on references in policies
- Resolved
-
RANGER-3764 conditions to support macros IS_IN_GROUP, IS_IN_ROLE, HAS_TAG
- Resolved
- links to