tag does not have the attribute

Madhan Neethiraj (Jira) Tue, 06 Dec 2022 12:08:08 -0800


     [ 
https://issues.apache.org/jira/browse/RANGER-3997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Madhan Neethiraj updated RANGER-3997:
-------------------------------------
    Description: 
Consider following row-filter expression that refers to a user attribute: 
{code:java}
dept = ${{USER.dept}}{code}
 

For this expression to evaluate correctly, all users who run query on the table 
should have an attribute named dept. To handle users for whom this attribute is 
not defined, an additional policy-item would be required, as shown below:
{noformat}
1. "condition": "!HAS_USER_ATTR('dept')", "filterExpr": "dept = -1"
 
2. "filterExpr": "dept = ${{USER.dept}}"{noformat}
 

Ability to use a default value when the attribute doesn't exist will eliminate 
the need for the additional policy item, like:
{noformat}
 "filterExpr": "dept = ${{GET_USER_ATTR('dept', -1)}}{noformat}
 

Added following macros to support optional default value:

 
||Macro||With default value||Description||Example return value||
|GET_TAG_NAMES()|GET_TAG_NAMES('none')|Names of tags associated with the
resource, separated by a comma|PII,PCI|
|GET_TAG_ATTR_NAMES()|GET_TAG_ATTR_NAMES('none')|Names of attributes in tags 
associated
with the resource, separated by a comma|piiType,score|
|GET_TAG_ATTR('score')|GET_TAG_ATTR('score', 0)|Attribute value in tags 
associated with the
resource, separated by a comma|0|
|GET_UG_NAMES()|GET_UG_NAMES('none')|Names of groups the user belongs to,
separated by a comma|analyst,manager|
|GET_UG_ATTR_NAMES()|GET_UG_ATTR_NAMES('none')|Names of all attributes in 
groups the user
belongs to, separated by a comma|dept,site|
|GET_UG_ATTR('site')|GET_UG_ATTR('site', 'none')|Attribute value in groups the 
user belongs to,
separated by a comma|10,20|
|GET_UR_NAMES()|GET_UR_NAMES('none')|Names of roles assigned to the user,
separated by a comma|data-steward,admin|
|GET_USER_ATTR_NAMES()|GET_USER_ATTR_NAMES('none')|Names of all attributes of 
the user,
separated by a comma|name,email|
|GET_USER_ATTR('email')|GET_USER_ATTR('email', 'none')|Value of user 
attribute|n...@domain.com|

 

For each macro listed above, there is another version with *_Q* added to the 
name, like:
{code:java}
GET_TAG_NAMES_Q(){code}
 These macros would quote each value, like:
{code:java}
'PII','PCI'{code}
 

  was:
Consider following row-filter expression that refers to a user attribute: 
{code:java}
dept = ${{USER.dept}}{code}
 

For this expression to evaluate correctly, all users who run query on the table 
should have an attribute named dept. To handle users for whom this attribute is 
not defined, an additional policy-item would be required, as shown below:
{noformat}
1. "condition": "!HAS_USER_ATTR('dept')", "filterExpr": "dept = -1"
 
2. "filterExpr": "dept = ${{USER.dept}}"{noformat}
 

Ability to use a default value when the attribute doesn't exist will eliminate 
the need for the additional policy item, like:
{noformat}
 "filterExpr": "dept = ${{GET_USER_ATTR('dept', -1)}}{noformat}
 

Added following macros to support optional default value:

 
||Macro||With default value||Description||Example return value||
|GET_TAG_NAMES()|GET_TAG_NAMES('none')|Names of tags associated with the 
resource,
separated by a comma|PII,PCI|
|GET_TAG_ATTR_NAMES()|GET_TAG_ATTR_NAMES('none')|Names of attributes in tags 
associated
with the resource, separated by a comma|piiType,score|
|GET_TAG_ATTR('score')|GET_TAG_ATTR('score', 0)|Attribute value in tags 
associated with the
resource, separated by a comma|0|
|GET_UG_NAMES()|GET_UG_NAMES('none')|Names of groups the user belongs to,
separated by a comma|analyst,manager|
|GET_UG_ATTR_NAMES()|GET_UG_ATTR_NAMES('none')|Names of all attributes in 
groups the user
belongs to, separated by a comma|dept,site|
|GET_UG_ATTR('site')|GET_UG_ATTR('site', 'none')|Attribute value in groups the 
user belongs to,
separated by a comma|10,20|
|GET_UR_NAMES()|GET_UR_NAMES('none')|Names of roles assigned to the user,
separated by a comma|data-steward,admin|
|GET_USER_ATTR_NAMES()|GET_USER_ATTR_NAMES('none')|Names of all attributes of 
the user,
separated by a comma|name,email|
|GET_USER_ATTR('email')|GET_USER_ATTR('email', 'none')|Value of user 
attribute|n...@domain.com|

 

For each macro listed above, there is another version with *_Q* added to the 
name, like:
{code:java}
GET_TAG_NAMES_Q(){code}
 These macros would quote each value, like:
{code:java}
'PII','PCI'{code}
 


> option to use default value when user/group/tag does not have the attribute
> ---------------------------------------------------------------------------
>
>                 Key: RANGER-3997
>                 URL: https://issues.apache.org/jira/browse/RANGER-3997
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>            Priority: Major
>             Fix For: 3.0.0, 2.4.0
>
>         Attachments: RANGER-3997.patch
>
>
> Consider following row-filter expression that refers to a user attribute: 
> {code:java}
> dept = ${{USER.dept}}{code}
>  
> For this expression to evaluate correctly, all users who run query on the 
> table should have an attribute named dept. To handle users for whom this 
> attribute is not defined, an additional policy-item would be required, as 
> shown below:
> {noformat}
> 1. "condition": "!HAS_USER_ATTR('dept')", "filterExpr": "dept = -1"
>  
> 2. "filterExpr": "dept = ${{USER.dept}}"{noformat}
>  
> Ability to use a default value when the attribute doesn't exist will 
> eliminate the need for the additional policy item, like:
> {noformat}
>  "filterExpr": "dept = ${{GET_USER_ATTR('dept', -1)}}{noformat}
>  
> Added following macros to support optional default value:
>  
> ||Macro||With default value||Description||Example return value||
> |GET_TAG_NAMES()|GET_TAG_NAMES('none')|Names of tags associated with the
> resource, separated by a comma|PII,PCI|
> |GET_TAG_ATTR_NAMES()|GET_TAG_ATTR_NAMES('none')|Names of attributes in tags 
> associated
> with the resource, separated by a comma|piiType,score|
> |GET_TAG_ATTR('score')|GET_TAG_ATTR('score', 0)|Attribute value in tags 
> associated with the
> resource, separated by a comma|0|
> |GET_UG_NAMES()|GET_UG_NAMES('none')|Names of groups the user belongs to,
> separated by a comma|analyst,manager|
> |GET_UG_ATTR_NAMES()|GET_UG_ATTR_NAMES('none')|Names of all attributes in 
> groups the user
> belongs to, separated by a comma|dept,site|
> |GET_UG_ATTR('site')|GET_UG_ATTR('site', 'none')|Attribute value in groups 
> the user belongs to,
> separated by a comma|10,20|
> |GET_UR_NAMES()|GET_UR_NAMES('none')|Names of roles assigned to the user,
> separated by a comma|data-steward,admin|
> |GET_USER_ATTR_NAMES()|GET_USER_ATTR_NAMES('none')|Names of all attributes of 
> the user,
> separated by a comma|name,email|
> |GET_USER_ATTR('email')|GET_USER_ATTR('email', 'none')|Value of user 
> attribute|n...@domain.com|
>  
> For each macro listed above, there is another version with *_Q* added to the 
> name, like:
> {code:java}
> GET_TAG_NAMES_Q(){code}
>  These macros would quote each value, like:
> {code:java}
> 'PII','PCI'{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-3997) option to use default value when user/group/tag does not have the attribute

Reply via email to