Wildcards and variables in resource-based policies
Reference for wildcards and variables in resource-based policies.
Ranger Authorization Resource Policy Wildcard Characters
-
*
indicates zero or more occurrences of characters -
?
indicates a single character
Ranger Authorization Resource Policy {USER} Variable
Ranger Authorization Resource Policy {USER} Variable Recommended Practices and Customizability
Ranger requires that string '{USER}' is used to represent accessing user as the user in the policy-item in a Ranger policy. However, Ranger provides flexible way of customizing the string that is used as shorthand to represent the accessing user's name in the policy resource specification. By default, Ranger policy resource specification expects characters '{' and '}' as delimiters for string 'USER', however, ranger supports customizable way of specifying delimiter characters, escaping those delimiters, and the string 'USER' itself by prefixing it with another, user-specified string on a per resource-level basis in the service definition of each component supported by Ranger.
"resources": [
{
"itemId": 1,
"name": "path",
"type": "path",
"level": 10,
"parent": "",
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": true,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
"matcherOptions": {"wildcard": true, "ignoreCase": false}, "replaceTokens":true, "tokenDelimiterStart":"%", "tokenDelimiterEnd":"%", "tokenDelimiterPrefix":"rangerToken:"}
"validationRegEx":"",
"validationMessage": "",
"uiHint":"",
"label": "Resource Path",
"description": "HDFS file or directory
path"
}
]
resource: path=/home/%rangerToken:USER%
user: {USER}
permissions: all, delegateAdmin=true
-
replaceTokens: true if short-hand for user in resource-spec needs to be replaced at run-time with current-user's name; false if the resource-spec needs to be interpreted as it is. Default value: true.
-
tokenDelimiterStart: Identifies start character of short-hand for current-user in resource specification. Default value: {.
-
tokenDelimiterEnd: Identifies end character of short-hand for current-user in resource specification. Default value:}.
-
tokenDelimiterEscape: Identifies escape character for escaping tokenDelimiterStart or tokenDelimiterEnd values in resource specification. Default value: \.
-
tokenDelimiterPrefix: Identifies special prefix which together with string 'USER' makes up short-hand for current-user's name in the resource specification. Default value: .