[RANGER-4117] service-def option to include expression condition implictly - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.0.0, 2.4.0
Component/s: Ranger
Labels:
None

Description

Ranger policies support condition expressions that enable users to setup access-control/masking/row-filter based on various criteria including user/group/tag attributes. To use such expressions in policies, service-defs need to be updated to add following condition-def:

"conditions: [
  {
    "name":        "expression",
    "evaluator":   "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
    "label":       "Enter boolean expression",
    "description": "Boolean expression"
  }
]

Instead of requiring updates to every service-def, it will help to implicitly include above in all service-def. However, it should be possible for a service-def to opt out of this, via service-def option.

Implementation notes:

while loading service-defs from the database, Ranger admin adds a condition named _expression of type RangerScriptConditionEvaluator
above implicit addition of condition can be disabled by adding following configuration in Ranger admin: ranger.servicedef.enableImplicitConditionExpression=false
specific service-defs can be excluded from above implicit addition of condition by adding following option in service-def: enableImplicitConditionExpression=false

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

RANGER-4117.patch
03/Mar/23 06:07
11 kB
Madhan Neethiraj

Activity

People

Assignee:: Madhan Neethiraj

Reporter:: Madhan Neethiraj

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 03/Mar/23 02:40

Updated:: 05/Mar/23 08:04

Resolved:: 05/Mar/23 07:56