Hi everyone,
I've been exploring Ranger for access control with Trino and while doing some tests I found out, that for one of the use cases I need, an user could be in multiple groups. Each of the groups would have a custom row level filter in the same table.
Example of row level filters:
Select Group = Group_UK, Access Type = Select, Row Level Filter = (country = 'UK')
Select Group = Group_DE, Access Type = Select, Row Level Filter = (country = 'DE')
If I have a row level policy defined as shown in the example and my user is in both of this groups I will only be able to see the data with the row level filter (country = 'UK'). All other filters coming after the first one won't work for any of the users that are in multiple groups.
Is there a way to enable this functionality in Ranger? or can I only give one filter to one user per table? e.g. Select User = user_a, Access Type = Select, Row Level Filter = (country in ('UK', 'DE'))
I came up with a workaround to this which is to deduce based on the groups an user is part of the needed filter and create through a script row level filters only for users and update the row level policies with the Rest API in Ranger.
Example 1:
user_a is in Group_UK and Group_DE
Therefore the following filter will be created:
Select User = user_a, Access Type = Select, Row Level Filter = (country in ('UK', 'DE'))
Example 2:
user_b is in Group_UK
Therefore the following filter will be created:
Select User = user_b, Access Type = Select, Row Level Filter = (country in ('UK'))
Regards and thanks in advance.
