Support Questions
Find answers, ask questions, and share your expertise

HDP 2.6 allows {user} variable in Ranger policies. Are other variables accessible, or only {user}?

Solved Go to solution

HDP 2.6 allows {user} variable in Ranger policies. Are other variables accessible, or only {user}?

Guru

HDP 2.6 allows {user} variable in Ranger policies, e.g. row-level filtering.

Are there any other variables besides {user} available, perhaps group?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: HDP 2.6 allows {user} variable in Ranger policies. Are other variables accessible, or only {user}?

Explorer

This Ranger feature provided in HDP2.6 (Ranger 0.7 and higher) for "macro substitution" supports general-purpose identification of patterns in the resource specification and replacing it during policy evaluation with other strings to derive the name of the resource.Therefore, it is an extensible scheme that is not restricted to replacement of {USER} with current user's name. While we offer {USER} and {OWNER} macros out of the box, this scheme can be customized by advanced Ranger users using interfaces provided: RangerContextEnricher, RangerAccessRequest and RangerConditionEvaluator. The {OWNER} macro is useful for databases and folders for example. To add such macros users would need to provide an implementation of RangerContextEnricher and RangerConditionEvaluator and include it in the service-definition before using this custom "macro" in any policy. For details of this feature and how it can be extended please see Apache Ranger wiki at: https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable

Building such extensions is for advanced Ranger users, therefore, the community has only provided the 2 most common use cases with {USER} and {OWNER} out of the box in Ranger.

View solution in original post

1 REPLY 1
Highlighted

Re: HDP 2.6 allows {user} variable in Ranger policies. Are other variables accessible, or only {user}?

Explorer

This Ranger feature provided in HDP2.6 (Ranger 0.7 and higher) for "macro substitution" supports general-purpose identification of patterns in the resource specification and replacing it during policy evaluation with other strings to derive the name of the resource.Therefore, it is an extensible scheme that is not restricted to replacement of {USER} with current user's name. While we offer {USER} and {OWNER} macros out of the box, this scheme can be customized by advanced Ranger users using interfaces provided: RangerContextEnricher, RangerAccessRequest and RangerConditionEvaluator. The {OWNER} macro is useful for databases and folders for example. To add such macros users would need to provide an implementation of RangerContextEnricher and RangerConditionEvaluator and include it in the service-definition before using this custom "macro" in any policy. For details of this feature and how it can be extended please see Apache Ranger wiki at: https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable

Building such extensions is for advanced Ranger users, therefore, the community has only provided the 2 most common use cases with {USER} and {OWNER} out of the box in Ranger.

View solution in original post