Adding a policy condition to a resource-based policy

You can add a condition to a resource-based policy, using Ranger Admin Web UI when creating a new, or editing an existing policy.

Ranger Admin Web UI supports adding the following policy conditions to a new or existing resource-based policy for Knox, Kafka and Kafka-connect services.

IP Address Range for example - xx.xxx.xxx, yy.yyy.yy
Boolean expression for example - Country_Name="XYZ"

The Policy Conditions dialog prompts for inputs using uhint JSON. For populating For populating "IP-range" for example, we are using JSON like this:

{
    "itemId": 1,
    "name": "ip-range",
    "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher",
    "evaluatorOptions": {},
    "validationRegEx": "",
    "validationMessage": "",
    "uiHint": "{ \"isMultiValue\":true }",
    "label": "IP Address Range",
    "description": "IP Address Range"
}

In Service Manager > Resource Policies > cm_knox_policies (for example), choose one of the following:

Add New Policy

to add a new, tag-based policy.

Policy ID

click a policy ID to edit an existing policy.
In either Create Policy or Edit Policy > Policy Conditions, click +.
In Policy Conditions:
1. In IP Address Range ?, enter or choose existing ip.address.values .
2. In Enter boolean expression, enter an expression that evaluates to true or false.
Click Save.