Using Tag Attributes and Values in Ranger Tag-based Policy Conditions
Enter boolean expression allows Ranger to use tag attributes and values when configuring tag-based policy Allow or Deny conditions. It allows admins to provide boolean expression(s) using tag attributes.
The policy condition is introduced in the tag service definition:
{ "itemId":2, "name":"expression", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"}, "label":"Enter boolean expression", "description": "Boolean expression" }
The following variables can be referenced in the boolean expression:
ctx
: Context handler containing APIs to access metadata information from the request.tag
: Information about the current tag.tagAttr
: Map containing all the current tag attributes and corresponding values.
The following APIs available from the request:
getUser()
: Returns a string.getUserGroups()
: Returns a set of strings containing groups.getClientIPAddress()
: Returns a string containing client IP address.getAction()
: Returns a string containing information about the action being requested.
Example
For two scenarios:
User “sam” needs to be denied a policy based on the IP address of the machine from where the resources are accessed.
Set the deny condition for user
sam
with the following boolean expression:if ( tagAttr.get('ipAddr').equals(ctx.getClientIPAddress()) ) { ctx.result = true; }
Deny one particular user, “bob” from a group, “users”, only when this user is accessing resources from a particular IP defined as an tag attribute in Atlas.
Set the deny condition for group
users
with the following boolean expression:if (tagAttr.get('ipAddr').equals(ctx.getClientIPAddress()) && ctx.getUser().equals("bob")) { ctx.result=true; }