[ https://issues.apache.org/jira/browse/RANGER-3997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Madhan Neethiraj updated RANGER-3997: ------------------------------------- Description: Consider following row-filter expression that refers to a user attribute: {code:java} dept = ${{USER.dept}}{code} For this expression to evaluate correctly, all users who run query on the table should have an attribute named dept. To handle users for whom this attribute is not defined, an additional policy-item would be required, as shown below: {noformat} 1. "condition": "!HAS_USER_ATTR('dept')", "filterExpr": "dept = -1" 2. "filterExpr": "dept = ${{USER.dept}}"{noformat} Ability to use a default value when the attribute doesn't exist will eliminate the need for the additional policy item, like: {noformat} "filterExpr": "dept = ${{GET_USER_ATTR('dept', -1)}}{noformat} Added following macros to support optional default value: ||Macro||With default value||Description||Example return value|| |GET_TAG_NAMES()|GET_TAG_NAMES('none')|Names of tags associated with the resource, separated by a comma|PII,PCI| |GET_TAG_ATTR_NAMES()|GET_TAG_ATTR_NAMES('none')|Names of attributes in tags associated with the resource, separated by a comma|piiType,score| |GET_TAG_ATTR('score')|GET_TAG_ATTR('score', 0)|Attribute value in tags associated with the resource, separated by a comma|0| |GET_UG_NAMES()|GET_UG_NAMES('none')|Names of groups the user belongs to, separated by a comma|analyst,manager| |GET_UG_ATTR_NAMES()|GET_UG_ATTR_NAMES('none')|Names of all attributes in groups the user belongs to, separated by a comma|dept,site| |GET_UG_ATTR('site')|GET_UG_ATTR('site', 'none')|Attribute value in groups the user belongs to, separated by a comma|10,20| |GET_UR_NAMES()|GET_UR_NAMES('none')|Names of roles assigned to the user, separated by a comma|data-steward,admin| |GET_USER_ATTR_NAMES()|GET_USER_ATTR_NAMES('none')|Names of all attributes of the user, separated by a comma|name,email| |GET_USER_ATTR('email')|GET_USER_ATTR('email', 'none')|Value of user attribute|n...@domain.com| For each macro listed above, there is another version with *_Q* added to the name, like: {code:java} GET_TAG_NAMES_Q(){code} These macros would quote each value, like: {code:java} 'PII','PCI'{code} was: Consider following row-filter expression that refers to a user attribute: {code:java} dept = ${{USER.dept}}{code} For this expression to evaluate correctly, all users who run query on the table should have an attribute named dept. To handle users for whom this attribute is not defined, an additional policy-item would be required, as shown below: {noformat} 1. "condition": "!HAS_USER_ATTR('dept')", "filterExpr": "dept = -1" 2. "filterExpr": "dept = ${{USER.dept}}"{noformat} Ability to use a default value when the attribute doesn't exist will eliminate the need for the additional policy item, like: {noformat} "filterExpr": "dept = ${{GET_USER_ATTR('dept', -1)}}{noformat} Added following macros to support optional default value: ||Macro||With default value||Description||Example return value|| |GET_TAG_NAMES()|GET_TAG_NAMES('none')|Names of tags associated with the resource, separated by a comma|PII,PCI| |GET_TAG_ATTR_NAMES()|GET_TAG_ATTR_NAMES('none')|Names of attributes in tags associated with the resource, separated by a comma|piiType,score| |GET_TAG_ATTR('score')|GET_TAG_ATTR('score', 0)|Attribute value in tags associated with the resource, separated by a comma|0| |GET_UG_NAMES()|GET_UG_NAMES('none')|Names of groups the user belongs to, separated by a comma|analyst,manager| |GET_UG_ATTR_NAMES()|GET_UG_ATTR_NAMES('none')|Names of all attributes in groups the user belongs to, separated by a comma|dept,site| |GET_UG_ATTR('site')|GET_UG_ATTR('site', 'none')|Attribute value in groups the user belongs to, separated by a comma|10,20| |GET_UR_NAMES()|GET_UR_NAMES('none')|Names of roles assigned to the user, separated by a comma|data-steward,admin| |GET_USER_ATTR_NAMES()|GET_USER_ATTR_NAMES('none')|Names of all attributes of the user, separated by a comma|name,email| |GET_USER_ATTR('email')|GET_USER_ATTR('email', 'none')|Value of user attribute|n...@domain.com| For each macro listed above, there is another version with *_Q* added to the name, like: {code:java} GET_TAG_NAMES_Q(){code} These macros would quote each value, like: {code:java} 'PII','PCI'{code} > option to use default value when user/group/tag does not have the attribute > --------------------------------------------------------------------------- > > Key: RANGER-3997 > URL: https://issues.apache.org/jira/browse/RANGER-3997 > Project: Ranger > Issue Type: Improvement > Components: plugins > Reporter: Madhan Neethiraj > Assignee: Madhan Neethiraj > Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: RANGER-3997.patch > > > Consider following row-filter expression that refers to a user attribute: > {code:java} > dept = ${{USER.dept}}{code} > > For this expression to evaluate correctly, all users who run query on the > table should have an attribute named dept. To handle users for whom this > attribute is not defined, an additional policy-item would be required, as > shown below: > {noformat} > 1. "condition": "!HAS_USER_ATTR('dept')", "filterExpr": "dept = -1" > > 2. "filterExpr": "dept = ${{USER.dept}}"{noformat} > > Ability to use a default value when the attribute doesn't exist will > eliminate the need for the additional policy item, like: > {noformat} > "filterExpr": "dept = ${{GET_USER_ATTR('dept', -1)}}{noformat} > > Added following macros to support optional default value: > > ||Macro||With default value||Description||Example return value|| > |GET_TAG_NAMES()|GET_TAG_NAMES('none')|Names of tags associated with the > resource, separated by a comma|PII,PCI| > |GET_TAG_ATTR_NAMES()|GET_TAG_ATTR_NAMES('none')|Names of attributes in tags > associated > with the resource, separated by a comma|piiType,score| > |GET_TAG_ATTR('score')|GET_TAG_ATTR('score', 0)|Attribute value in tags > associated with the > resource, separated by a comma|0| > |GET_UG_NAMES()|GET_UG_NAMES('none')|Names of groups the user belongs to, > separated by a comma|analyst,manager| > |GET_UG_ATTR_NAMES()|GET_UG_ATTR_NAMES('none')|Names of all attributes in > groups the user > belongs to, separated by a comma|dept,site| > |GET_UG_ATTR('site')|GET_UG_ATTR('site', 'none')|Attribute value in groups > the user belongs > to, separated by a comma|10,20| > |GET_UR_NAMES()|GET_UR_NAMES('none')|Names of roles assigned to the user, > separated by a comma|data-steward,admin| > |GET_USER_ATTR_NAMES()|GET_USER_ATTR_NAMES('none')|Names of all attributes of > the user, > separated by a comma|name,email| > |GET_USER_ATTR('email')|GET_USER_ATTR('email', 'none')|Value of user > attribute|n...@domain.com| > > For each macro listed above, there is another version with *_Q* added to the > name, like: > {code:java} > GET_TAG_NAMES_Q(){code} > These macros would quote each value, like: > {code:java} > 'PII','PCI'{code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)