Description
Have a use case around this for Trino where user should be able to see allowed parents along with child table
For below case from here
Resource
{ "serviceName": "cl1_hive", "resourceElements": { "database": { "values": ["employee"] }, "table": { "values": ["personal"] }, "column": { "values": ["city"] } }, "id": 3, "guid": "employee.personal.city-guid" }
Policy
{ "id": 1, "name": "RESTRICTED_TAG_POLICY", "isEnabled": true, "isAuditEnabled": true, "resources": { "tag": { "values": ["RESTRICTED"], "isRecursive": false } }, "policyItems": [{ "accesses": [{ "type": "hive:select", "isAllowed": true }], "users": ["hive", "user1"], "groups": [], "delegateAdmin": false, "conditions": [{ "type": "expression", "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"] }] }] }
The test below is working as expected
{ "name": "ALLOW 'select city from employee.personal;' for user1 using RESTRICTED tag", "request": { "resource": { "elements": { "database": "employee", "table": "personal", "column": "city" } }, "accessType": "select", "user": "user1", "userGroups": [], "requestData": "select city from employee.personal;' for user1" }, "result": { "isAudited": true, "isAllowed": true, "policyId": 101 } }
The expectation is how to allow? (without allowing access to anything apart from this)
show databases;— with results employee
use employee;
show tables; – with results personal
Please suggest possible ways to solve this/policy creation.
=====================================================================================================
Attachments
Attachments
Issue Links
- is fixed by
-
RANGER-3617 incorrect deny for _any access due to tag policy
- Resolved