Using tag attributes and values in Ranger tag-based policy conditions
Enter boolean expression allows Ranger to use tag attributes and values when configuring tag-based policy Allow or Deny conditions. It allows admins to provide boolean expression(s) using tag attributes.
{
"itemId":2,
"name":"expression",
"evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
"evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
"label":"Enter boolean expression",
"description": "Boolean expression"
}
-
ctx
: Context handler containing APIs to access metadata information from the request. -
tag
: Information about the current tag. -
tagAttr
: Map containing all the current tag attributes and corresponding values.
-
getUser()
: Returns a string. -
getUserGroups()
: Returns a set of strings containing groups. -
getClientIPAddress()
: Returns a string containing client IP address. -
getAction()
: Returns a string containing information about the action being requested.
-
User “sam” needs to be denied a policy based on the IP address of the machine from where the resources are accessed.
Set the deny condition for usersam
with the following boolean expression:if ( tagAttr.get('ipAddr').equals(ctx.getClientIPAddress()) ) { ctx.result = true; }
-
Deny one particular user, “bob” from a group, “users”, only when this user is accessing resources from a particular IP defined as an tag attribute in Atlas.
Set the deny condition for groupusers
with the following boolean expression:if (tagAttr.get('ipAddr').equals(ctx.getClientIPAddress()) && ctx.getUser().equals("bob")) { ctx.result=true; }