Release Notes
Also available as:
PDF

RangerUI: Escape of policy condition text entered in the policy form

Component Affected: Ranger

Description of Problem

If a user wants to create policy with custom policy conditions and the expression or text contains special characters, then policy enforcement will not work. Special characters are converted into ASCII before saving the policy into the database.

Special Characters: & < > " ` '

For example, the condition tags.attributes['type']='abc' would get converted to the following once the policy is saved:User can see the policy condition with these chars by opening policy in edit mode.

tags.attds[&#x27;dsds&#x27;]=&#x27;cssdfs&#x27;

You can see the policy condition with these characters by opening the policy in edit mode.

Workaround

Option #1: Create/Update policy via Ranger Rest API

REST URL: http://<host>:6080/service/plugins/policies

Creating policy with policy condition:

The below example will create policy with tags as `tags-test` and assign it to `public` group with policy condition as tags.attr['type']=='abc' by selecting all hive component permission like select,update,create,drop,alter,index,lock,all.

Example:

curl -H "Content-Type: application/json" -X POST http://localhost:6080/service/plugins/policies -u admin:admin -d '{"policyType":"0","name":"P100","isEnabled":true,"isAuditEnabled":true,"description":"","resources":{"tag":{"values":["tags-test"],"isRecursive":"","isExcludes":false}},"policyItems":[{"groups":["public"],"conditions":[{"type":"accessed-after-expiry","values":[]},{"type":"tag-expression","values":["tags.attr['type']=='abc'"]}],"accesses":[{"type":"hive:select","isAllowed":true},{"type":"hive:update","isAllowed":true},{"type":"hive:create","isAllowed":true},{"type":"hive:drop","isAllowed":true},{"type":"hive:alter","isAllowed":true},{"type":"hive:index","isAllowed":true},{"type":"hive:lock","isAllowed":true},{"type":"hive:all","isAllowed":true}]}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"service":"tagdev"}'

Update existing policy with policy condition:

The below example will update policy with tags as `tags-test` and assign it to `public` group with policy condition as tags.attr['type']=='abc' by selecting all hive component permission like select,update,create,drop,alter,index,lock,all.

REST URL: http://<host-name>:6080/service/plugins/policies/<policy-id>

Example:

curl -H "Content-Type: application/json" -X PUT http://localhost:6080/service/plugins/policies/18 -u admin:admin -d '{"id":18,"guid":"ea78a5ed-07a5-447a-978d-e636b0490a54","isEnabled":true,"createdBy":"Admin","updatedBy":"Admin","createTime":1490802077000,"updateTime":1490802077000,"version":1,"service":"tagdev","name":"P0101","policyType":0,"description":"","resourceSignature":"e5fdb911a25aa7f77af5a9546938d9ed","isAuditEnabled":true,"resources":{"tag":{"values":["tags"],"isExcludes":false,"isRecursive":false}},"policyItems":[{"accesses":[{"type":"hive:select","isAllowed":true},{"type":"hive:update","isAllowed":true},{"type":"hive:create","isAllowed":true},{"type":"hive:drop","isAllowed":true},{"type":"hive:alter","isAllowed":true},{"type":"hive:index","isAllowed":true},{"type":"hive:lock","isAllowed":true},{"type":"hive:all","isAllowed":true}],"users":[],"groups":["public"],"conditions":[{"type":"ip-range","values":["tags.attributes['type']=abc"]}],"delegateAdmin":false}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[]}'

Option #2: Apply Javascript changes

Steps to update JS file :

  1. 1. Find out PermissionList.js file under /usr/hdp/current/ranger-admin

  2. 2. Find out definition of renderPolicyCondtion function (line no:404).

  3. 3. Remove below line from that function i.e under display function(line no:434)

    val = _.escape(val);//Line No:460

After removing the above line, the Ranger UI will allow you to create policies with policy condition that can contain special characters and policy evaluation will be successful for the same policy.