Description
Have a use case around this for Trino where user should be able to see allowed parents along with child table
For below case from here
Resource
{
"serviceName": "cl1_hive",
"resourceElements": {
"database": {
"values": ["employee"]
},
"table": {
"values": ["personal"]
},
"column": {
"values": ["city"]
}
},
"id": 3,
"guid": "employee.personal.city-guid"
}
Policy
{
"id": 1,
"name": "RESTRICTED_TAG_POLICY",
"isEnabled": true,
"isAuditEnabled": true,
"resources": {
"tag": {
"values": ["RESTRICTED"],
"isRecursive": false
}
},
"policyItems": [{
"accesses": [{
"type": "hive:select",
"isAllowed": true
}],
"users": ["hive", "user1"],
"groups": [],
"delegateAdmin": false,
"conditions": [{
"type": "expression",
"values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
}]
}]
}
The test below is working as expected
{
"name": "ALLOW 'select city from employee.personal;' for user1 using RESTRICTED tag",
"request": {
"resource": {
"elements": {
"database": "employee",
"table": "personal",
"column": "city"
}
},
"accessType": "select",
"user": "user1",
"userGroups": [],
"requestData": "select city from employee.personal;' for user1"
},
"result": {
"isAudited": true,
"isAllowed": true,
"policyId": 101
}
}
The expectation is how to allow? (without allowing access to anything apart from this)
show databases;— with results employee
use employee;
show tables; – with results personal
Please suggest possible ways to solve this/policy creation.
=====================================================================================================
Attachments
Attachments
Issue Links
- is fixed by
-
RANGER-3617 incorrect deny for _any access due to tag policy
-
- Resolved
-