Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-4392

Tag based policy with boolean expression is not working

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.0.0, 2.5.0
    • Ranger

    Description

      Reproduction

      Precondition

      1. Hive table with name "testtable1_polcond" exists with tag with attributes expire_date, and name. Expiry date is in the future, and name has value: "hivetag".
      2. A ranger tag-based policy exists with "Accessed after expiry_date": no, and the following boolean expression:

      ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");

      providing access to user test_user

      Test steps

      1. As user test_user in beeline, execute:

      select * from testdb1_polcond.testtable1_polcond;

      Expected behavior

      Query should be executed successfully as tag based policy provides access.

      Actual behavior

      Permisson denied. In hive logs, the following is seen:

      2023-08-28 11:43:34,716 INFO  org.apache.hadoop.hive.ql.Driver: [a95535bb-6daf-466b-9464-fe505f224a0b etp597410879-285]: Compiling command(q
ueryId=hive_20230828114334_adddcc28-722b-48ae-b0c9-0662a1661435): select * from testdb1_polcond.testtable1_polcond

...

2023-08-28 11:43:34,944 ERROR org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator: [a95535bb-6daf-466b-9464-fe505f224a0b etp5
97410879-285]: RangerRequestScriptEvaluator.evaluateScript(): failed to evaluate script, exception=javax.script.ScriptException: org.graalvm
.polyglot.PolyglotException: SyntaxError: <eval>:1:66 Expected , but found eof
exit=null;quit=null;ctx.getAttributeValue("VALID_HIVETABLE_TAG_82"

      Policy condition response :

      curl -u 'admin:Admin123' 'https://quasar-leyqrl-1.quasar-leyqrl.root.hwx.site:6182/service/plugins/policies/102' \
-H 'Accept: application/json, text/plain, \{*}/\{*}' \
--insecure

      In the resulting json, the value for the policy condition is the following:

      "conditions": [
                {
                    "type": "accessed-after-expiry",
                    "values": [
                        "no"
                    ]
                },
                {
                    "type": "expression",
                    "values": [
                        "ctx.getAttributeValue(\"VALID_HIVETABLE_TAG_82\"",
                        "\"name\").equals(\"hivetag\");"
                    ]
                }
            ],

      It looks as if Ranger Admin would split the content of the "expression" field along the comma, and that's what leads to syntax error in hive logs.

      Attachments

        1. 0001-RANGER-4392.patch
          11 kB
          Mugdha Varadkar

        Issue Links

          links to

          Web Link Apache review board

          Activity

            People

              mugdha.varadkar Mugdha Varadkar
              mugdha.varadkar Mugdha Varadkar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: