Created 08-05-2017 05:44 PM
HDP 2.6 allows {user} variable in Ranger policies, e.g. row-level filtering.
Are there any other variables besides {user} available, perhaps group?
Created 08-05-2017 10:10 PM
This Ranger feature provided in HDP2.6 (Ranger 0.7 and higher) for "macro substitution" supports general-purpose identification of patterns in the resource specification and replacing it during policy evaluation with other strings to derive the name of the resource.Therefore, it is an extensible scheme that is not restricted to replacement of {USER} with current user's name. While we offer {USER} and {OWNER} macros out of the box, this scheme can be customized by advanced Ranger users using interfaces provided: RangerContextEnricher, RangerAccessRequest and RangerConditionEvaluator. The {OWNER} macro is useful for databases and folders for example. To add such macros users would need to provide an implementation of RangerContextEnricher and RangerConditionEvaluator and include it in the service-definition before using this custom "macro" in any policy. For details of this feature and how it can be extended please see Apache Ranger wiki at: https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable
Building such extensions is for advanced Ranger users, therefore, the community has only provided the 2 most common use cases with {USER} and {OWNER} out of the box in Ranger.
Created 08-05-2017 10:10 PM
This Ranger feature provided in HDP2.6 (Ranger 0.7 and higher) for "macro substitution" supports general-purpose identification of patterns in the resource specification and replacing it during policy evaluation with other strings to derive the name of the resource.Therefore, it is an extensible scheme that is not restricted to replacement of {USER} with current user's name. While we offer {USER} and {OWNER} macros out of the box, this scheme can be customized by advanced Ranger users using interfaces provided: RangerContextEnricher, RangerAccessRequest and RangerConditionEvaluator. The {OWNER} macro is useful for databases and folders for example. To add such macros users would need to provide an implementation of RangerContextEnricher and RangerConditionEvaluator and include it in the service-definition before using this custom "macro" in any policy. For details of this feature and how it can be extended please see Apache Ranger wiki at: https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable
Building such extensions is for advanced Ranger users, therefore, the community has only provided the 2 most common use cases with {USER} and {OWNER} out of the box in Ranger.