Evaluation context in policy conditions
The evaluation context in Apache Ranger enables dynamic, attribute-based access control (ABAC) by gathering and enriching request details for precise policy decisions.
When a user tries to access a resource, such as a Hive table or an HDFS file, the Apache Ranger plugin intercepts this action. It gathers all relevant details about the request into a package of information. This package is called the context enricher.
Context enricher
The context enricher is a package of information gathered by the Apache Ranger plugin for every resource access request. It serves as the foundation for the policy engine to make a precise access decision. It contains all the live data points related to the access attempt.
| Context element | Description | Example data |
|---|---|---|
| Who (Identity) | The principal (user and associated groups) making the request. | user: john_doe, groups: finance_analysts |
| What (Resource) | The specific resource the user is attempting to access. | resource: /data/finance/salaries.csv (HDFS path) |
| How (Action) | The operation being performed. | action: read |
| Where (Origin) | The network location of the client making the request. | clientIPAddress: 10.0.2.15 |
| When (Time) | The current time of the request. | currentTimestamp: 2026-01-29T21:18:00Z |
| Enricher | Data added to context | Description |
|---|---|---|
| Tag enricher | TAGS, TAG_OBJECT |
Incorporates metadata tags associated with the resource. |
| User store enricher | USERSTORE attributes |
Adds user or group attributes fetched from external stores, for example, LDAP. |
| GDS enricher | Governance, data sharing information | Integrates data governance and sharing details. |
| Zone enricher | Security zone information | Identifies the security zone the resource belongs to. |
Context population lifecycle
- Initial setup – The plugins gather basic request information, for example, resource path and requested action.
- Enrichment phase – Context enrichers run, adding specialized data, such as tags and user attributes, to the context.
- Evaluation phase – The policy engine checks the enriched context against defined policies. Evaluators might also potentially modify the context.
- Cleanup phase – Any temporary data added to the context is removed.
Custom conditions and attribute-based access control (ABAC)
The ctx object is the key to implementing dynamic, attribute-based access
control (ABAC). It allows policies to go beyond simple identity and resource checks to evaluate
environmental, user, or time-based
attributes.
- Static rule example (without ctx): Allow group finance_analysts to read table salaries.
- Dynamic ABAC rule example (with ctx): Allow group finance_analysts to read table salaries only if the request is coming from an internal IP address and it is during business hours.
You can write custom conditions as JavaScript-like expressions in the Custom Conditions box within the Ranger Policy UI.
| Policy objective | Example expression |
|---|---|
| Restrict access by IP Address | ctx.request.clientIPAddress == '10.0.2.15' |
| Restrict access by Time | ctx.request.currentTimestamp.getHours() >= 9 &&
ctx.request.currentTimestamp.getHours() <= 17 |
This expression evaluates to true only if the request originates from the specified IP address and occurs during the specified hours. If the expression evaluates to true, the policy condition is met, and the access decision (allow/deny) is processed.
