[ https://issues.apache.org/jira/browse/RANGER-4392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mugdha Varadkar updated RANGER-4392: ------------------------------------ Attachment: 0001-RANGER-4392.patch > Tag based policy with boolean expression is not working > ------------------------------------------------------- > > Key: RANGER-4392 > URL: https://issues.apache.org/jira/browse/RANGER-4392 > Project: Ranger > Issue Type: Bug > Components: Ranger > Reporter: Mugdha Varadkar > Assignee: Mugdha Varadkar > Priority: Major > Labels: ranger-react > Attachments: 0001-RANGER-4392.patch > > > h3. Reproduction > h4. Precondition > 1. Hive table with name "testtable1_polcond" exists with tag with attributes > expire_date, and name. Expiry date is in the future, and name has value: > "hivetag". > 2. A ranger tag-based policy exists with "Accessed after expiry_date": no, > and the following boolean expression: > {code:java} > ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag"); > {code} > providing access to user test_user > h4. Test steps > 1. As user test_user in beeline, execute: > {code:java} > select * from testdb1_polcond.testtable1_polcond; > {code} > h4. Expected behavior > Query should be executed successfully as tag based policy provides access. > h4. Actual behavior > Permisson denied. In hive logs, the following is seen: > {code:java} > 2023-08-28 11:43:34,716 INFO org.apache.hadoop.hive.ql.Driver: > [a95535bb-6daf-466b-9464-fe505f224a0b etp597410879-285]: Compiling command(q > ueryId=hive_20230828114334_adddcc28-722b-48ae-b0c9-0662a1661435): select * > from testdb1_polcond.testtable1_polcond > ... > 2023-08-28 11:43:34,944 ERROR > org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator: > [a95535bb-6daf-466b-9464-fe505f224a0b etp5 > 97410879-285]: RangerRequestScriptEvaluator.evaluateScript(): failed to > evaluate script, exception=javax.script.ScriptException: org.graalvm > .polyglot.PolyglotException: SyntaxError: <eval>:1:66 Expected , but found eof > exit=null;quit=null;ctx.getAttributeValue("VALID_HIVETABLE_TAG_82" > {code} > Policy condition response : > {code:java} > curl -u 'admin:Admin123' > 'https://quasar-leyqrl-1.quasar-leyqrl.root.hwx.site:6182/service/plugins/policies/102' > \ > -H 'Accept: application/json, text/plain, \{*}/\{*}' \ > --insecure > {code} > In the resulting json, the value for the policy condition is the following: > {code:java} > "conditions": [ > { > "type": "accessed-after-expiry", > "values": [ > "no" > ] > }, > { > "type": "expression", > "values": [ > "ctx.getAttributeValue(\"VALID_HIVETABLE_TAG_82\"", > "\"name\").equals(\"hivetag\");" > ] > } > ], > {code} > It looks as if Ranger Admin would split the content of the "expression" field > along the comma, and that's what leads to syntax error in hive logs. -- This message was sent by Atlassian Jira (v8.20.10#820010)