Policy conditions in Apache Ranger

Policy conditions in Apache Ranger enable dynamic, context-aware access control by using JavaScript expressions to evaluate requests at the policy and policy-item levels. Instead of just specifying who can access what, you can also control under which conditions access is allowed.

Apache Ranger enables dynamic policy conditions through JavaScript expressions evaluated at request time to decide whether to evaluate the policy or a policy item.

These expressions must evaluate to boolean values and are used in the following configurations:

Resource-based policies (allow and deny)
Tag-based policies (allow and deny)
Row-level filters
Column masking

If the condition evaluates to true, access continues to be evaluated. If false, the policy or a policy item is skipped.

Evaluation order and precedence

Apache Ranger evaluates a policy that has conditions at both policy level and policy-item level in the following order:

Matches the policy.
Apache Ranger first identifies a list of policies, where the requested resource, for example, an HDFS path or a Hive table, matches the policy resource definition.
Evaluates the policy-level condition.
Apache Ranger then evaluates the custom condition set at the main policy level.
- If this condition evaluates to False, the entire policy is skipped. None of the individual allow or deny rules within it are even considered, and Apache Ranger moves to the next policy.
- If this condition evaluates to True or if no policy-level condition exists, Apache Ranger proceeds to evaluate the individual rules (policy items) within that policy.
Evaluates the policy-item-level condition.
Apache Ranger evaluates the specific condition attached to each rule (policy item) within the matched policy.
- If the rule-level condition evaluates to True, the policy engine in that rule checks for the user, group, and access privileges in that specific policy item.
- If the rule-level condition evaluates to False, that specific rule is ignored.