Adding a policy condition to a resource-based policy

You can add a condition to a resource-based policy, using Ranger Admin Web UI when creating a new, or editing an existing policy.

Ranger Admin Web UI supports adding the following policy conditions to a new or existing resource-based policy for Knox, Kafka and Kafka-connect services.
  • IP Address Range for example -, yy.yyy.yy
  • Boolean expression for example - Country_Name="XYZ"
The Policy Conditions dialog prompts for inputs using uhint JSON. For populating For populating "IP-range" for example, we are using JSON like this:
    "itemId": 1,
    "name": "ip-range",
    "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher",
    "evaluatorOptions": {},
    "validationRegEx": "",
    "validationMessage": "",
    "uiHint": "{ \"isMultiValue\":true }",
    "label": "IP Address Range",
    "description": "IP Address Range"
  1. In Service Manager > Resource Policies > cm_knox_policies (for example), choose one of the following:
    Add New Policy
    to add a new, tag-based policy.
    Policy ID
    click a policy ID to edit an existing policy.
  2. In either Create Policy or Edit Policy > Policy Conditions, click +.
  3. In Policy Conditions:
    1. In IP Address Range ?, enter or choose existing ip.address.values .
    2. In Enter boolean expression, enter an expression that evaluates to true or false.
  4. Click Save.