Cloudera Docs

Tag attributes with ctx or _ctx object for policy conditions

Tag attributes in the Atlas-Ranger integration enable a transition from basic resource-based access control to a highly scalable and efficient attribute-based access control (ABAC) model.

Tag attributes enhance basic classifications by adding key-value metadata. For example, rather than merely tagging a Hive table as PII, you can tag it with a classification such as DATA_SENSITIVITY and add attributes such as level='HIGH'.

The Ranger policy engine can read these attribute values during access evaluation. This allows you to create a single, dynamic policy, such as "Allow the compliance_team to access any data where the DATA_SENSITIVITY level is HIGH," instead of creating separate policies for every sensitive data asset.

Creating a tag with attributes in Apache Atlas

You first define the schema of your tag called a classification in Apache Atlas and its potential attributes.
  1. Go to the Classifications tab in the Atlas UI.
  2. Create a New Classification named DATA_CLASSIFICATION.
  3. Add attributes to it by clicking Add Attribute and defining the metadata you want to store.
    Example
    • Attribute Name: sensitivity_level
    • Data Type: string
  4. Apply the tag to a data asset.
    For example, find a resource such as a Hive table named customer_contact_info. Apply the new DATA_CLASSIFICATION tag to it. When you do so, the Atlas UI will prompt you to set the values for your attributes.
    • Set sensitivity_level to HIGH.

This metadata is now managed in Apache Atlas and will be synchronized to Apache Ranger through TagSync.

Using tag attributes in a Apache Ranger policy condition

After the tag information is in Apache Ranger, you can use it in your policy conditions to access its attributes.

Create a policy that only allows members of the security_auditors group to SELECT data that has been explicitly classified with a CRITICAL sensitivity level.
  1. In Ranger Admin Web UI, create a new tag-based policy for the Hive service.
  2. Select the tag in the TAG field and select DATA_CLASSIFICATION.
  3. Define the policy item (rule) in Allow Conditions.

    For example, "Grant SELECT permission to the group security_auditors."

  4. Add the custom condition in the Custom Conditions text box and enter the following JavaScript:
    // This condition checks the value of the 'sensitivity_level' attribute on the 'DATA_CLASSIFICATION' tag associated with the resource.
                            // The policy item will only apply if the value is 'CRITICAL'.
                            GET_TAG_ATTR('sensitivity_level') == HIGH;
                            OR
                            _ctx.tag.sensitivity_level == 'HIGH';
                            OR
                            tagAttr.sensitivity_level == 'HIGH'; 
                            OR
                            ctx.tagAttr('sensitivity_level') == 'HIGH';