Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3997

option to use default value when user/group/tag does not have the attribute

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.0.0, 2.4.0
    • plugins
    • None

    Description

      Consider following row-filter expression that refers to a user attribute: 

      dept = ${{USER.dept}}

       

      For this expression to evaluate correctly, all users who run query on the table should have an attribute named dept. To handle users for whom this attribute is not defined, an additional policy-item would be required, as shown below:

      1. "condition": "!HAS_USER_ATTR('dept')", "filterExpr": "dept = -1"
       
      2. "filterExpr": "dept = ${{USER.dept}}"

       

      Ability to use a default value when the attribute doesn't exist will eliminate the need for the additional policy item, like:

       "filterExpr": "dept = ${{GET_USER_ATTR('dept', -1)}}

       

      Added following macros to support optional default value:

       

      Macro With default value Description Example return value
      GET_TAG_NAMES() GET_TAG_NAMES('none') Names of tags associated with the
      resource, separated by a comma
      PII,PCI
      GET_TAG_ATTR_NAMES() GET_TAG_ATTR_NAMES('none') Names of attributes in tags associated
      with the resource, separated by a comma
      piiType,score
      GET_TAG_ATTR('score') GET_TAG_ATTR('score', 0) Attribute value in tags associated with the
      resource, separated by a comma
      0
      GET_UG_NAMES() GET_UG_NAMES('none') Names of groups the user belongs to,
      separated by a comma
      analyst,manager
      GET_UG_ATTR_NAMES() GET_UG_ATTR_NAMES('none') Names of all attributes in groups the user
      belongs to, separated by a comma
      dept,site
      GET_UG_ATTR('site') GET_UG_ATTR('site', 'none') Attribute value in groups the user belongs
      to, separated by a comma
      10,20
      GET_UR_NAMES() GET_UR_NAMES('none') Names of roles assigned to the user,
      separated by a comma
      data-steward,admin
      GET_USER_ATTR_NAMES() GET_USER_ATTR_NAMES('none') Names of all attributes of the user,
      separated by a comma
      name,email
      GET_USER_ATTR('email') GET_USER_ATTR('email', 'none') Value of user attribute name@domain.com

       

      For each macro listed above, there is another version with _Q added to the name, like:

      GET_TAG_NAMES_Q()

       These macros would quote each value, like:

      'PII','PCI'

       

      Attachments

        1. RANGER-3997.patch
          41 kB
          Madhan Neethiraj
        2. Screenshot 2024-02-15 at 5.20.36 PM.png
          43 kB
          Himanshu Maurya
        3. Screenshot 2024-02-15 at 5.27.54 PM.png
          182 kB
          Himanshu Maurya
        4. Screenshot 2024-02-15 at 5.07.02 PM.png
          127 kB
          Himanshu Maurya

        Issue Links

          Activity

            People

              madhan Madhan Neethiraj
              madhan Madhan Neethiraj
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: