Using tag attributes and values in Ranger tag-based policy conditions

Enter boolean expression allows Ranger to use tag attributes and values when configuring tag-based policy Allow or Deny conditions. It allows admins to provide boolean expression(s) using tag attributes.

The policy condition is introduced in the tag service definition:
      "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
      "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
      "label":"Enter boolean expression",
      "description": "Boolean expression"
The following variables can be referenced in the boolean expression:
  • ctx: Context handler containing APIs to access metadata information from the request.

  • tag: Information about the current tag.

  • tagAttr: Map containing all the current tag attributes and corresponding values.

The following APIs available from the request:
  • getUser(): Returns a string.

  • getUserGroups(): Returns a set of strings containing groups.

  • getClientIPAddress(): Returns a string containing client IP address.

  • getAction(): Returns a string containing information about the action being requested.

For two scenarios:
  • User “sam” needs to be denied a policy based on the IP address of the machine from where the resources are accessed.

    Set the deny condition for user sam with the following boolean expression:
    if ( tagAttr.get('ipAddr').equals(ctx.getClientIPAddress()) ) {
    	ctx.result = true;
  • Deny one particular user, “bob” from a group, “users”, only when this user is accessing resources from a particular IP defined as an tag attribute in Atlas.

    Set the deny condition for group users with the following boolean expression:
    if (tagAttr.get('ipAddr').equals(ctx.getClientIPAddress()) && ctx.getUser().equals("bob"))  {