Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Could group RLF policy be dynamic for group member?

avatar
Master Collaborator

Could the row level filter setup on a group be dynamic for each member of the group?

Use case is like the following:

data analysts are all in a group calledDA. If a RLF policy is setup for the DA group but the goal is to limit each member of the group to only access data assigned to him/her. this could be done easily on per-user level policy, but if the member of the group is huge, it could be lots policies to manage. Is there a way to set it on the group level something like

AssigneeID = @userID

where @userID is associated with each member.

1 ACCEPTED SOLUTION

avatar
Master Collaborator

After some help from Ranger PM, I was told this is possible by using the Hive UDF which could get the current user that's running Hive context. The function is current_user().

The solution would be to include the user information in the data or have a lookup table associate the user id with the user name.

then the role level filter would look like something like

UserName = current_user()

or

UserID in (select uid from userLookup where uname = current_user())

And I just recently punlished a HCC article detailing how to do it

https://community.hortonworks.com/content/kbentry/59582/create-dynamic-row-level-filter-in-ranger.ht...

View solution in original post

5 REPLIES 5

avatar

Filter conditions are static in Ranger 0.6, so there is no way to populate a variable like @userID dynamically. You would need to define groups as appropriate for each user's compliant access.

Filter conditions can reference other objects, but this doesn't help you much in this case, as you would need separate "filter tables" for each user which results in the same administrative overhead you are seeking to avoid.

By other objects, I mean other tables not tied to this specific policy. For instance, if I have normalized data model with a customer table and an address table, with an associated foreign key relationship, I can create a filter condition like customerID in (select customerID from customerAddress where state = 'TX').

avatar
Master Collaborator

@slachterman, since you mentioned "Filter conditions can reference other objects", could you please give a couple examples. I could think of using time like

LastUpdateTime >= DATEADD(DAY, -30, GetDate())

What other kinds of object could be used?

avatar

@Qi Wang by objects I am thinking of tables, see my updated answer. I haven't tested using a function in that way but as long as all the functions are deterministic (like GetDate()), that may work.

avatar
Master Collaborator

After some help from Ranger PM, I was told this is possible by using the Hive UDF which could get the current user that's running Hive context. The function is current_user().

The solution would be to include the user information in the data or have a lookup table associate the user id with the user name.

then the role level filter would look like something like

UserName = current_user()

or

UserID in (select uid from userLookup where uname = current_user())

And I just recently punlished a HCC article detailing how to do it

https://community.hortonworks.com/content/kbentry/59582/create-dynamic-row-level-filter-in-ranger.ht...

avatar
Rising Star

In addition to current_user() there are also other built-in udfs that you can use in the RLF conditions such as logged_in_user(), current_database() etc. . Please refer to the Hive Misc functions documentation on Apache wiki: https://cwiki.apache.org/confluence/display/Hive/LanguageManual+UDF#LanguageManualUDF-Misc.Functions