Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3997

option to use default value when user/group/tag does not have the attribute

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.0.0, 2.4.0
    • plugins
    • None

    Description

      Consider following row-filter expression that refers to a user attribute: 

      dept = ${{USER.dept}}

       

      For this expression to evaluate correctly, all users who run query on the table should have an attribute named dept. To handle users for whom this attribute is not defined, an additional policy-item would be required, as shown below:

      1. "condition": "!HAS_USER_ATTR('dept')", "filterExpr": "dept = -1"
 
2. "filterExpr": "dept = ${{USER.dept}}"

       

      Ability to use a default value when the attribute doesn't exist will eliminate the need for the additional policy item, like:

       "filterExpr": "dept = ${{GET_USER_ATTR('dept', -1)}}

       

      Added following macros to support optional default value:

       

      Macro With default value Description Example return value
      GET_TAG_NAMES() GET_TAG_NAMES('none') Names of tags associated with the
      resource, separated by a comma      		 PII,PCI
      GET_TAG_ATTR_NAMES() GET_TAG_ATTR_NAMES('none') Names of attributes in tags associated
      with the resource, separated by a comma      		 piiType,score
      GET_TAG_ATTR('score') GET_TAG_ATTR('score', 0) Attribute value in tags associated with the
      resource, separated by a comma      		 0
      GET_UG_NAMES() GET_UG_NAMES('none') Names of groups the user belongs to,
      separated by a comma      		 analyst,manager
      GET_UG_ATTR_NAMES() GET_UG_ATTR_NAMES('none') Names of all attributes in groups the user
      belongs to, separated by a comma      		 dept,site
      GET_UG_ATTR('site') GET_UG_ATTR('site', 'none') Attribute value in groups the user belongs
      to, separated by a comma      		 10,20
      GET_UR_NAMES() GET_UR_NAMES('none') Names of roles assigned to the user,
      separated by a comma      		 data-steward,admin
      GET_USER_ATTR_NAMES() GET_USER_ATTR_NAMES('none') Names of all attributes of the user,
      separated by a comma      		 name,email
      GET_USER_ATTR('email') GET_USER_ATTR('email', 'none') Value of user attribute name@domain.com

       

      For each macro listed above, there is another version with _Q added to the name, like:

      GET_TAG_NAMES_Q()

       These macros would quote each value, like:

      'PII','PCI'

       

      Attachments

        1. Screenshot 2024-02-15 at 5.07.02 PM.png
          127 kB
          Himanshu Maurya
        2. Screenshot 2024-02-15 at 5.27.54 PM.png
          182 kB
          Himanshu Maurya
        3. Screenshot 2024-02-15 at 5.20.36 PM.png
          43 kB
          Himanshu Maurya
        4. RANGER-3997.patch
          41 kB
          Madhan Neethiraj

        Issue Links

        requires

        Bug - A problem which impairs or prevents the functions of the product. RANGER-4719 Policy condition expressions are split by the Ranger UI on commas

        • Major - Major loss of function.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            madhan Madhan Neethiraj
            madhan Madhan Neethiraj
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment