Using tag attributes and values in Ranger tag-based policy conditions
Enter boolean expression allows Ranger to use tag attributes and values when configuring tag-based policy Allow or Deny conditions. It allows admins to provide boolean expression(s) using tag attributes.
{
  "itemId": 2,
  "name": "expression",
  "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
  "evaluatorOptions": {
    "engineName": "JavaScript",
    "ui.isMultiline": "true"
  },
  "uiHint": "{ \"isMultiline\": true }",
  "label": "Enter boolean expression",
  "description": "Boolean expression"
}- 
                  ctx: Context handler containing APIs to access metadata information from the request.
- 
                  tag: Information about the current tag.
- 
                  tagAttr: Map containing all the current tag attributes and corresponding values.
- 
                  getUser(): Returns a string.
- 
                  getUserGroups(): Returns a set of strings containing groups.
- 
                  getClientIPAddress(): Returns a string containing client IP address.
- 
                  getAction(): Returns a string containing information about the action being requested.
- 
                  User “sam” needs to be denied a policy based on the IP address of the machine from where the resources are accessed. Set the deny condition for usersamwith the following boolean expression:if ( tagAttr.get('ipAddr').equals(ctx.getClientIPAddress()) ) { ctx.result = true; }
- 
                  Deny one particular user, “bob” from a group, “users”, only when this user is accessing resources from a particular IP defined as an tag attribute in Atlas. Set the deny condition for groupuserswith the following boolean expression:if (tagAttr.get('ipAddr').equals(ctx.getClientIPAddress()) && ctx.getUser().equals("bob")) { ctx.result=true; }

