[jira] [Commented] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571609#comment-17571609
]
Madhan Neethiraj commented on RANGER-3839:
--
[~in.rames...@gmail.com] - thanks for adding the details. This is helpful.
{quote}I tried with resource matching scope as SELF_OR_DESCENDENTS, It
succeeded but it comes with a lot of challenges.
{quote}
If you are looking to check if the user has permission on any resource within a
given resource, then resource-match-scope should be set as SELF_OR_DESCENDENTS.
What issue do you see with is.
For TEST#1 ({{{}use hr;{}}}), if you are looking to find if the user has _any_
permission on _any_ resource within {{hr}} database, I suggest to replace
accessType with an empty value: {{{}"accessType": ""{}}}. In this case the
resource-match-scope is implicitly taken as SELF_OR_DESCENDENTS.
{quote}Please let me know if this worked in HIVE, what could be the reason.?
{quote}
For {{USE DATABASE, SHOW TABLES, SHOW DATABASES }}commands, Hive authorizer
internally checks if the user has *any* permission on any resource (within the
specified database/table). Hence resource-match-scope SELF_OR_DESCENDENTS is
implicit.
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
>Reporter: Ramesh Bhanan Byndoor
>Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for Trino where user should be able to see
> allowed parents along with child table
>
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>
> Resource
>
> {code:java}
> {
> "serviceName": "cl1_hive",
> "resourceElements": {
> "database": {
> "values": ["employee"]
> },
> "table": {
> "values": ["personal"]
> },
> "column": {
> "values": ["city"]
> }
> },
> "id": 3,
> "guid": "employee.personal.city-guid"
> }
> {code}
> Policy
> {code:java}
> {
> "id": 1,
> "name": "RESTRICTED_TAG_POLICY",
> "isEnabled": true,
> "isAuditEnabled": true,
> "resources": {
> "tag": {
> "values": ["RESTRICTED"],
> "isRecursive": false
> }
> },
> "policyItems": [{
> "accesses": [{
> "type": "hive:select",
> "isAllowed": true
> }],
> "users": ["hive", "user1"],
> "groups": [],
> "delegateAdmin": false,
> "conditions": [{
> "type": "expression",
> "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
> }]
> }]
> }{code}
> The test below is working as expected
> {code:java}
> {
> "name": "ALLOW 'select city from employee.personal;' for user1 using
> RESTRICTED tag",
> "request": {
> "resource": {
> "elements": {
> "database": "employee",
> "table": "personal",
> "column": "city"
> }
> },
> "accessType": "select",
> "user": "user1",
> "userGroups": [],
> "requestData": "select city from employee.personal;' for user1"
> },
> "result": {
> "isAudited": true,
> "isAllowed": true,
> "policyId": 101
> }
> }{code}
> The expectation is how to allow? (without {color:#ff}allowing access to
> anything apart from this{color})
> {*}show databases{*};— with results *employee*
> *use employee;*
> *show tables; –* with results *personal*
>
> Please suggest possible ways to solve this/policy creation.
> =
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74057/ --- (Updated July 26, 2022, 7:13 p.m.) Review request for ranger and Madhan Neethiraj. Repository: ranger Description --- It would be nice to be able to do fine-grained access control (FGA) over nested structures, e.g., the JSON responses of API calls. This requires the individual attributes in a JSON object to be first-class metadata objects which can be tagged and on which policies can be written. We have built a plugin and the corresponding Apache Atlas metadata structures and tagsync-mapper to support TBAC/RBAC/ABAC FGA over JSON structures. Our instigating use case was FGA over the JSON responses of API calls, but this plugin has potential value anywhere FGA over the individual attributes of nested structures is needed, eg JSON messages read from Kafka topics. Diffs (updated) - plugin-nestedstructure/CONTRIBUTING PRE-CREATION plugin-nestedstructure/LICENSE PRE-CREATION plugin-nestedstructure/NOTICE PRE-CREATION plugin-nestedstructure/README.md PRE-CREATION plugin-nestedstructure/conf/log4j.properties PRE-CREATION plugin-nestedstructure/conf/nestedstructure_servicedef.json PRE-CREATION plugin-nestedstructure/conf/ranger-nestedstructure-audit.xml PRE-CREATION plugin-nestedstructure/conf/ranger-nestedstructure-policymgr-ssl.xml PRE-CREATION plugin-nestedstructure/conf/ranger-nestedstructure-security.xml PRE-CREATION plugin-nestedstructure/pom.xml PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/AccessResult.java PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/DataMasker.java PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/ExampleClient.java PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/FieldLevelAccess.java PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/JsonManipulator.java PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskTypes.java PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskingException.java PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAccessType.java PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Resource.java PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Service.java PRE-CREATION plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/RecordFilterJavaScript.java PRE-CREATION plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestDataMasker.java PRE-CREATION plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestJsonManipulator.java PRE-CREATION plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestRecordFilterJavaScript.java PRE-CREATION pom.xml 0945f4b1d tagsync/src/main/java/org/apache/ranger/tagsync/nestedstructureplugin/AtlasNestedStructureResourceMapper.java PRE-CREATION tagsync/src/test/java/org/apache/ranger/tagsync/nestedstructureplugin/ResourceTests.java PRE-CREATION Diff: https://reviews.apache.org/r/74057/diff/2/ Changes: https://reviews.apache.org/r/74057/diff/1-2/ Testing --- File Attachments (updated) 0001-patch-with-edits-based-on-OS-review.patch https://reviews.apache.org/media/uploaded/files/2022/07/26/9d048baa-1968-4201-b213-1b807ed02587__0001-patch-with-edits-based-on-OS-review.patch Thanks, Barbara Eckman
[jira] [Comment Edited] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571449#comment-17571449
]
Ramesh Bhanan Byndoor edited comment on RANGER-3839 at 7/26/22 2:31 PM:
I am using Trino Ranger plugin and don't see this is working as you noted, I
see the same behavior in Trino as I tried to replicate with the below test
cases. Hope these test cases explain this problem better.
In the policy engine, I have added this new test case.
{code:java}
@Test
public void testPolicyEngine_hiveForTag_filebased_meta() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_ancestor_meta.json" };
runTestsFromResourceFiles(conditionsTestResourceFiles);
} {code}
And the content of the test_ancestor_meta.json is attached
here,[^test_ancestor_meta.json]I
And my resource tags as [^resourceTags.json]
And my expectation is to pass (marked below TEST#1, TEST#2 ), but it doesn't.
Please check.
{code:java}
"tests":[
{
"name":"TEST#1 ALLOW 'use hr;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"use
hr;' for t1user"
},
"result":{"isAudited":false,"isAllowed":false,"policyId":1}
},
{
"name":"TEST#2 ALLOW 'describe hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"describe
hr.employee;' for t1user"
},
"result":{"isAudited":false,"isAllowed":false,"policyId":1}
},
{
"name":"ALLOW 'select ssn from hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee",
"column":"ssn"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"select ssn
from hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
}
] {code}
I tried with resource matching scope as SELF_OR_DESCENDENTS, It succeeded but
it comes with a lot of challenges. Please let me know if this worked in HIVE,
what could be the reason.?
Thanks much for your time.
was (Author: in.rames...@gmail.com):
I am using Trino Ranger plugin and don't see this is working as you noted, I
see the same behavior in Trino as I tried to replicate with the below test
cases. Hope these test cases explain this problem better.
In the policy engine, I have added this new test case.
{code:java}
@Test
public void testPolicyEngine_hiveForTag_filebased_meta() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_ancestor_meta.json" };
runTestsFromResourceFiles(conditionsTestResourceFiles);
} {code}
And the content of the test_ancestor_meta.json is attached
here,[^test_ancestor_meta.json]I
And my resource tags as [^resourceTags.json]
And my expectation is to pass (marked below TEST#1, TEST#2 ), but it fails.
Please check.
{code:java}
"tests":[
{
"name":"TEST#1 ALLOW 'use hr;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"use
hr;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"TEST#2 ALLOW 'describe hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"describe
hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"ALLOW 'select ssn from hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee",
"column":"ssn"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"select ssn
from hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
}
] {code}
I tried with resource matching scope as SELF_OR_DESCENDENTS, It succeeded but
it comes with a lot of challenges. Please let me know if this worked in HIVE,
what could be the reason.?
Thanks much for your time.
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
>Reporter: Ramesh Bhanan Byndoor
>Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for Trino where user should be able to see
> allowed parents along with child table
>
> For below case from here
>
[jira] [Comment Edited] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571449#comment-17571449
]
Ramesh Bhanan Byndoor edited comment on RANGER-3839 at 7/26/22 2:25 PM:
I am using Trino Ranger plugin and don't see this is working as you noted, I
see the same behavior in Trino as I tried to replicate with the below test
cases. Hope these test cases explain this problem better.
In the policy engine, I have added this new test case.
{code:java}
@Test
public void testPolicyEngine_hiveForTag_filebased_meta() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_ancestor_meta.json" };
runTestsFromResourceFiles(conditionsTestResourceFiles);
} {code}
And the content of the test_ancestor_meta.json is attached
here,[^test_ancestor_meta.json]I
And my resource tags as [^resourceTags.json]
And my expectation is to pass (marked below TEST#1, TEST#2 ), but it fails.
Please check.
{code:java}
"tests":[
{
"name":"TEST#1 ALLOW 'use hr;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"use
hr;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"TEST#2 ALLOW 'describe hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"describe
hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"ALLOW 'select ssn from hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee",
"column":"ssn"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"select ssn
from hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
}
] {code}
I tried with resource matching scope as SELF_OR_DESCENDENTS, It succeeded but
it comes with a lot of challenges. Please let me know if this worked in HIVE,
what could be the reason.?
Thanks much for your time.
was (Author: in.rames...@gmail.com):
I am using Trino Ranger plugin and don't see this working as you noted, I see
the same behavior as I tried to replicate with the below test cases. Hope these
test cases explain this problem better.
In the policy engine, I have added this new test case.
{code:java}
@Test
public void testPolicyEngine_hiveForTag_filebased_meta() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_ancestor_meta.json" };
runTestsFromResourceFiles(conditionsTestResourceFiles);
} {code}
And the content of the test_ancestor_meta.json is attached
here,[^test_ancestor_meta.json]I
And my resource tags as [^resourceTags.json]
And my expectation is to pass (marked below TEST#1, TEST#2 ), but it fails.
Please check.
{code:java}
"tests":[
{
"name":"TEST#1 ALLOW 'use hr;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"use
hr;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"TEST#2 ALLOW 'describe hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"describe
hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"ALLOW 'select ssn from hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee",
"column":"ssn"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"select ssn
from hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
}
] {code}
I tried with resource matching scope as SELF_OR_DESCENDENTS, It succeeded but
it comes with a lot of challenges. Please let me know if this worked in HIVE,
what could be the reason.?
Thanks much for your time.
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
>Reporter: Ramesh Bhanan Byndoor
>Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for Trino where user should be able to see
> allowed parents along with child table
>
> For below case from here
>
[jira] [Comment Edited] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571449#comment-17571449
]
Ramesh Bhanan Byndoor edited comment on RANGER-3839 at 7/26/22 2:17 PM:
I am using Trino Ranger plugin and don't see this working as you noted, I see
the same behavior as I tried to replicate with the below test cases. Hope these
test cases explain this problem better.
In the policy engine, I have added this new test case.
{code:java}
@Test
public void testPolicyEngine_hiveForTag_filebased_meta() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_ancestor_meta.json" };
runTestsFromResourceFiles(conditionsTestResourceFiles);
} {code}
And the content of the test_ancestor_meta.json is attached
here,[^test_ancestor_meta.json]I
And my resource tags as [^resourceTags.json]
And my expectation is to pass (marked below TEST#1, TEST#2 ), but it fails.
Please check.
{code:java}
"tests":[
{
"name":"TEST#1 ALLOW 'use hr;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"use
hr;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"TEST#2 ALLOW 'describe hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"describe
hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"ALLOW 'select ssn from hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee",
"column":"ssn"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"select ssn
from hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
}
] {code}
I tried with resource matching scope as SELF_OR_DESCENDENTS, It succeeded but
it comes with a lot of challenges. Please let me know if this worked in HIVE,
what could be the reason.?
Thanks much for your time.
was (Author: in.rames...@gmail.com):
I am using Trino Ranger plugin and don't see this working as you noted, I see
the same behavior as I tried to replicate with the below test cases. Hope these
test cases explain this problem better.
In the policy engine, I have added this new test case.
{code:java}
@Test
public void testPolicyEngine_hiveForTag_filebased_meta() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_ancestor_meta.json" };
runTestsFromResourceFiles(conditionsTestResourceFiles);
} {code}
And the content of the test_ancestor_meta.json is attached
here,[^test_ancestor_meta.json]I
And my resource tags as [^resourceTags.json]
And my expectation is to pass (marked below TEST#1, TEST#2 ), but it fails.
Please check.
{code:java}
"tests":[
{
"name":"TEST#1 ALLOW 'use hr;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"use
hr;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"TEST#2 ALLOW 'describe hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"describe
hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"ALLOW 'select ssn from hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee",
"column":"ssn"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"select ssn
from hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
}
] {code}
I tried with resource matching scope as SELF_OR_DESCENDENTS, It succeeded but
it comes with a lot of challenges. Please let me know if this worked in HIVE
what could be the reason.?
Thanks much for your time.
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
>Reporter: Ramesh Bhanan Byndoor
>Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for Trino where user should be able to see
> allowed parents along with child table
>
> For below case from here
>
[jira] [Updated] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramesh Bhanan Byndoor updated RANGER-3839:
--
Description:
Have a use case around this for Trino where user should be able to see allowed
parents along with child table
For below case from here
[https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
Resource
{code:java}
{
"serviceName": "cl1_hive",
"resourceElements": {
"database": {
"values": ["employee"]
},
"table": {
"values": ["personal"]
},
"column": {
"values": ["city"]
}
},
"id": 3,
"guid": "employee.personal.city-guid"
}
{code}
Policy
{code:java}
{
"id": 1,
"name": "RESTRICTED_TAG_POLICY",
"isEnabled": true,
"isAuditEnabled": true,
"resources": {
"tag": {
"values": ["RESTRICTED"],
"isRecursive": false
}
},
"policyItems": [{
"accesses": [{
"type": "hive:select",
"isAllowed": true
}],
"users": ["hive", "user1"],
"groups": [],
"delegateAdmin": false,
"conditions": [{
"type": "expression",
"values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
}]
}]
}{code}
The test below is working as expected
{code:java}
{
"name": "ALLOW 'select city from employee.personal;' for user1 using
RESTRICTED tag",
"request": {
"resource": {
"elements": {
"database": "employee",
"table": "personal",
"column": "city"
}
},
"accessType": "select",
"user": "user1",
"userGroups": [],
"requestData": "select city from employee.personal;' for user1"
},
"result": {
"isAudited": true,
"isAllowed": true,
"policyId": 101
}
}{code}
The expectation is how to allow? (without {color:#ff}allowing access to
anything apart from this{color})
{*}show databases{*};— with results *employee*
*use employee;*
*show tables; –* with results *personal*
Please suggest possible ways to solve this/policy creation.
=
was:
Have a use case around this for trino and hive where user should be able to see
allowed parents along with child table
For below case from here
[https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
Resource
{code:java}
{
"serviceName": "cl1_hive",
"resourceElements": {
"database": {
"values": ["employee"]
},
"table": {
"values": ["personal"]
},
"column": {
"values": ["city"]
}
},
"id": 3,
"guid": "employee.personal.city-guid"
}
{code}
Policy
{code:java}
{
"id": 1,
"name": "RESTRICTED_TAG_POLICY",
"isEnabled": true,
"isAuditEnabled": true,
"resources": {
"tag": {
"values": ["RESTRICTED"],
"isRecursive": false
}
},
"policyItems": [{
"accesses": [{
"type": "hive:select",
"isAllowed": true
}],
"users": ["hive", "user1"],
"groups": [],
"delegateAdmin": false,
"conditions": [{
"type": "expression",
"values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
}]
}]
}{code}
The test below is working as expected
{code:java}
{
"name": "ALLOW 'select city from employee.personal;' for user1 using
RESTRICTED tag",
"request": {
"resource": {
"elements": {
"database": "employee",
"table": "personal",
"column": "city"
}
},
"accessType": "select",
"user": "user1",
"userGroups": [],
"requestData": "select city from employee.personal;' for user1"
},
"result": {
"isAudited": true,
"isAllowed": true,
"policyId": 101
}
}{code}
The expectation is how to allow? (without {color:#ff}allowing access to
anything apart from this{color})
{*}show databases{*};— with results *employee*
*use employee;*
*show tables; –* with results *personal*
Please suggest possible ways to solve this/policy creation.
=
> Ranger Tag based policy with ability to show metadata for covered resource
>
[jira] [Comment Edited] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571449#comment-17571449
]
Ramesh Bhanan Byndoor edited comment on RANGER-3839 at 7/26/22 2:14 PM:
I am using Trino Ranger plugin and don't see this working as you noted, I see
the same behavior as I tried to replicate with the below test cases. Hope these
test cases explain this problem better.
In the policy engine, I have added this new test case.
{code:java}
@Test
public void testPolicyEngine_hiveForTag_filebased_meta() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_ancestor_meta.json" };
runTestsFromResourceFiles(conditionsTestResourceFiles);
} {code}
And the content of the test_ancestor_meta.json is attached
here,[^test_ancestor_meta.json]I
And my resource tags as [^resourceTags.json]
And my expectation is to pass (marked below TEST#1, TEST#2 ), but it fails.
Please check.
{code:java}
"tests":[
{
"name":"TEST#1 ALLOW 'use hr;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"use
hr;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"TEST#2 ALLOW 'describe hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"describe
hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
},
{
"name":"ALLOW 'select ssn from hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee",
"column":"ssn"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"select ssn
from hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
}
] {code}
I tried with resource matching scope as SELF_OR_DESCENDENTS, It succeeded but
it comes with a lot of challenges. Please let me know if this worked in HIVE
what could be the reason.?
Thanks much for your time.
was (Author: in.rames...@gmail.com):
I am using Trino Ranger plugin and don't see this working as you noted, I see
the same behavior as I tried to replicate with the below test cases. Hope these
test cases explain this problem better.
In the policy engine, I have added this new test case.
{code:java}
@Test
public void testPolicyEngine_hiveForTag_filebased_meta() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_ancestor_meta.json" };
runTestsFromResourceFiles(conditionsTestResourceFiles);
} {code}
And the content of the test_ancestor_meta.json is attached
here,[^test_ancestor_meta.json]I
And my resource tags as [^resourceTags.json]
And my expectation is to pass (marked below TEST#1, TEST#2 ), but it fails.
Please check.
{code:java}
"tests":[
{
"name":"TEST#1 ALLOW 'use hr;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"use
hr;' for t1user"
},
"result":{"isAudited":false,"isAllowed":true,"policyId":1}
},
{
"name":"TEST#2 ALLOW 'describe hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"describe
hr.employee;' for t1user"
},
"result":{"isAudited":false,"isAllowed":true,"policyId":1}
},
{
"name":"ALLOW 'select ssn from hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee",
"column":"ssn"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"select ssn
from hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
}
] {code}
I tried with resource matching scope as SELF_OR_DESCENDENTS, It succeeded but
it comes with a lot of challenges. Please let me know if this worked in HIVE
what could be the reason.?
Thanks much for your time.
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
>Reporter: Ramesh Bhanan Byndoor
>Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for trino and hive where user should be able to
> see allowed parents along with child table
>
> For below case from here
>
[jira] [Commented] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571449#comment-17571449
]
Ramesh Bhanan Byndoor commented on RANGER-3839:
---
I am using Trino Ranger plugin and don't see this working as you noted, I see
the same behavior as I tried to replicate with the below test cases. Hope these
test cases explain this problem better.
In the policy engine, I have added this new test case.
{code:java}
@Test
public void testPolicyEngine_hiveForTag_filebased_meta() {
String[] conditionsTestResourceFiles = {
"/policyengine/test_ancestor_meta.json" };
runTestsFromResourceFiles(conditionsTestResourceFiles);
} {code}
And the content of the test_ancestor_meta.json is attached
here,[^test_ancestor_meta.json]I
And my resource tags as [^resourceTags.json]
And my expectation is to pass (marked below TEST#1, TEST#2 ), but it fails.
Please check.
{code:java}
"tests":[
{
"name":"TEST#1 ALLOW 'use hr;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"use
hr;' for t1user"
},
"result":{"isAudited":false,"isAllowed":true,"policyId":1}
},
{
"name":"TEST#2 ALLOW 'describe hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"describe
hr.employee;' for t1user"
},
"result":{"isAudited":false,"isAllowed":true,"policyId":1}
},
{
"name":"ALLOW 'select ssn from hr.employee;' for t1user ",
"request":{
"resource":{"elements":{"database":"hr", "table":"employee",
"column":"ssn"}},
"accessType":"select","user":"t1user","userGroups":[],"requestData":"select ssn
from hr.employee;' for t1user"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":1}
}
] {code}
I tried with resource matching scope as SELF_OR_DESCENDENTS, It succeeded but
it comes with a lot of challenges. Please let me know if this worked in HIVE
what could be the reason.?
Thanks much for your time.
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
>Reporter: Ramesh Bhanan Byndoor
>Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for trino and hive where user should be able to
> see allowed parents along with child table
>
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>
> Resource
>
> {code:java}
> {
> "serviceName": "cl1_hive",
> "resourceElements": {
> "database": {
> "values": ["employee"]
> },
> "table": {
> "values": ["personal"]
> },
> "column": {
> "values": ["city"]
> }
> },
> "id": 3,
> "guid": "employee.personal.city-guid"
> }
> {code}
> Policy
> {code:java}
> {
> "id": 1,
> "name": "RESTRICTED_TAG_POLICY",
> "isEnabled": true,
> "isAuditEnabled": true,
> "resources": {
> "tag": {
> "values": ["RESTRICTED"],
> "isRecursive": false
> }
> },
> "policyItems": [{
> "accesses": [{
> "type": "hive:select",
> "isAllowed": true
> }],
> "users": ["hive", "user1"],
> "groups": [],
> "delegateAdmin": false,
> "conditions": [{
> "type": "expression",
> "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
> }]
> }]
> }{code}
> The test below is working as expected
> {code:java}
> {
> "name": "ALLOW 'select city from employee.personal;' for user1 using
> RESTRICTED tag",
> "request": {
> "resource": {
> "elements": {
> "database": "employee",
> "table": "personal",
> "column": "city"
> }
> },
> "accessType": "select",
> "user": "user1",
> "userGroups": [],
> "requestData": "select city from employee.personal;' for user1"
> },
> "result": {
> "isAudited": true,
> "isAllowed": true,
> "policyId": 101
> }
> }{code}
> The expectation is how to allow? (without {color:#ff}allowing access to
> anything apart from this{color})
> {*}show databases{*};— with results *employee*
> *use employee;*
> *show tables; –*
[jira] [Updated] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramesh Bhanan Byndoor updated RANGER-3839:
--
Attachment: resourceTags.json
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
>Reporter: Ramesh Bhanan Byndoor
>Priority: Major
> Attachments: resourceTags.json, test_ancestor_meta.json
>
>
> Have a use case around this for trino and hive where user should be able to
> see allowed parents along with child table
>
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>
> Resource
>
> {code:java}
> {
> "serviceName": "cl1_hive",
> "resourceElements": {
> "database": {
> "values": ["employee"]
> },
> "table": {
> "values": ["personal"]
> },
> "column": {
> "values": ["city"]
> }
> },
> "id": 3,
> "guid": "employee.personal.city-guid"
> }
> {code}
> Policy
> {code:java}
> {
> "id": 1,
> "name": "RESTRICTED_TAG_POLICY",
> "isEnabled": true,
> "isAuditEnabled": true,
> "resources": {
> "tag": {
> "values": ["RESTRICTED"],
> "isRecursive": false
> }
> },
> "policyItems": [{
> "accesses": [{
> "type": "hive:select",
> "isAllowed": true
> }],
> "users": ["hive", "user1"],
> "groups": [],
> "delegateAdmin": false,
> "conditions": [{
> "type": "expression",
> "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
> }]
> }]
> }{code}
> The test below is working as expected
> {code:java}
> {
> "name": "ALLOW 'select city from employee.personal;' for user1 using
> RESTRICTED tag",
> "request": {
> "resource": {
> "elements": {
> "database": "employee",
> "table": "personal",
> "column": "city"
> }
> },
> "accessType": "select",
> "user": "user1",
> "userGroups": [],
> "requestData": "select city from employee.personal;' for user1"
> },
> "result": {
> "isAudited": true,
> "isAllowed": true,
> "policyId": 101
> }
> }{code}
> The expectation is how to allow? (without {color:#ff}allowing access to
> anything apart from this{color})
> {*}show databases{*};— with results *employee*
> *use employee;*
> *show tables; –* with results *personal*
>
> Please suggest possible ways to solve this/policy creation.
> =
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramesh Bhanan Byndoor updated RANGER-3839:
--
Attachment: test_ancestor_meta.json
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
>Reporter: Ramesh Bhanan Byndoor
>Priority: Major
> Attachments: test_ancestor_meta.json
>
>
> Have a use case around this for trino and hive where user should be able to
> see allowed parents along with child table
>
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>
> Resource
>
> {code:java}
> {
> "serviceName": "cl1_hive",
> "resourceElements": {
> "database": {
> "values": ["employee"]
> },
> "table": {
> "values": ["personal"]
> },
> "column": {
> "values": ["city"]
> }
> },
> "id": 3,
> "guid": "employee.personal.city-guid"
> }
> {code}
> Policy
> {code:java}
> {
> "id": 1,
> "name": "RESTRICTED_TAG_POLICY",
> "isEnabled": true,
> "isAuditEnabled": true,
> "resources": {
> "tag": {
> "values": ["RESTRICTED"],
> "isRecursive": false
> }
> },
> "policyItems": [{
> "accesses": [{
> "type": "hive:select",
> "isAllowed": true
> }],
> "users": ["hive", "user1"],
> "groups": [],
> "delegateAdmin": false,
> "conditions": [{
> "type": "expression",
> "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
> }]
> }]
> }{code}
> The test below is working as expected
> {code:java}
> {
> "name": "ALLOW 'select city from employee.personal;' for user1 using
> RESTRICTED tag",
> "request": {
> "resource": {
> "elements": {
> "database": "employee",
> "table": "personal",
> "column": "city"
> }
> },
> "accessType": "select",
> "user": "user1",
> "userGroups": [],
> "requestData": "select city from employee.personal;' for user1"
> },
> "result": {
> "isAudited": true,
> "isAllowed": true,
> "policyId": 101
> }
> }{code}
> The expectation is how to allow? (without {color:#ff}allowing access to
> anything apart from this{color})
> {*}show databases{*};— with results *employee*
> *use employee;*
> *show tables; –* with results *personal*
>
> Please suggest possible ways to solve this/policy creation.
> =
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramesh Bhanan Byndoor updated RANGER-3839:
--
Description:
Have a use case around this for trino and hive where user should be able to see
allowed parents along with child table
For below case from here
[https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
Resource
{code:java}
{
"serviceName": "cl1_hive",
"resourceElements": {
"database": {
"values": ["employee"]
},
"table": {
"values": ["personal"]
},
"column": {
"values": ["city"]
}
},
"id": 3,
"guid": "employee.personal.city-guid"
}
{code}
Policy
{code:java}
{
"id": 1,
"name": "RESTRICTED_TAG_POLICY",
"isEnabled": true,
"isAuditEnabled": true,
"resources": {
"tag": {
"values": ["RESTRICTED"],
"isRecursive": false
}
},
"policyItems": [{
"accesses": [{
"type": "hive:select",
"isAllowed": true
}],
"users": ["hive", "user1"],
"groups": [],
"delegateAdmin": false,
"conditions": [{
"type": "expression",
"values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
}]
}]
}{code}
The test below is working as expected
{code:java}
{
"name": "ALLOW 'select city from employee.personal;' for user1 using
RESTRICTED tag",
"request": {
"resource": {
"elements": {
"database": "employee",
"table": "personal",
"column": "city"
}
},
"accessType": "select",
"user": "user1",
"userGroups": [],
"requestData": "select city from employee.personal;' for user1"
},
"result": {
"isAudited": true,
"isAllowed": true,
"policyId": 101
}
}{code}
The expectation is how to allow? (without {color:#ff}allowing access to
anything apart from this{color})
{*}show databases{*};— with results *employee*
*use employee;*
*show tables; –* with results *personal*
Please suggest possible ways to solve this/policy creation.
=
was:
Have a use case around this for trino and hive where user should be able to see
allowed parents along with child table
For below case from here
[https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
Resource
{code:java}
{
"serviceName": "cl1_hive",
"resourceElements": {
"database": {
"values": ["employee"]
},
"table": {
"values": ["personal"]
},
"column": {
"values": ["city"]
}
},
"id": 3,
"guid": "employee.personal.city-guid"
}
{code}
Policy
{code:java}
{
"id": 1,
"name": "RESTRICTED_TAG_POLICY",
"isEnabled": true,
"isAuditEnabled": true,
"resources": {
"tag": {
"values": ["RESTRICTED"],
"isRecursive": false
}
},
"policyItems": [{
"accesses": [{
"type": "hive:select",
"isAllowed": true
}],
"users": ["hive", "user1"],
"groups": [],
"delegateAdmin": false,
"conditions": [{
"type": "expression",
"values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
}]
}]
}{code}
The test below is working as expected
{code:java}
{
"name": "ALLOW 'select city from employee.personal;' for user1 using
RESTRICTED tag",
"request": {
"resource": {
"elements": {
"database": "employee",
"table": "personal",
"column": "city"
}
},
"accessType": "select",
"user": "user1",
"userGroups": [],
"requestData": "select city from employee.personal;' for user1"
},
"result": {
"isAudited": true,
"isAllowed": true,
"policyId": 101
}
}{code}
The expectation is how to allow? (without {color:#FF}allowing access
anything apart from this{color})
{*}show databases{*};— with results *employee*
*use employee;*
*show tables; –* with results *personal*
Please suggest possible ways to solve this/policy creation.
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
>
