Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

HDP 2.6 allows {user} variable in Ranger policies. Are other variables accessible, or only {user}?

avatar
Guru

HDP 2.6 allows {user} variable in Ranger policies, e.g. row-level filtering.

Are there any other variables besides {user} available, perhaps group?

1 ACCEPTED SOLUTION

avatar
Rising Star

This Ranger feature provided in HDP2.6 (Ranger 0.7 and higher) for "macro substitution" supports general-purpose identification of patterns in the resource specification and replacing it during policy evaluation with other strings to derive the name of the resource.Therefore, it is an extensible scheme that is not restricted to replacement of {USER} with current user's name. While we offer {USER} and {OWNER} macros out of the box, this scheme can be customized by advanced Ranger users using interfaces provided: RangerContextEnricher, RangerAccessRequest and RangerConditionEvaluator. The {OWNER} macro is useful for databases and folders for example. To add such macros users would need to provide an implementation of RangerContextEnricher and RangerConditionEvaluator and include it in the service-definition before using this custom "macro" in any policy. For details of this feature and how it can be extended please see Apache Ranger wiki at: https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable

Building such extensions is for advanced Ranger users, therefore, the community has only provided the 2 most common use cases with {USER} and {OWNER} out of the box in Ranger.

View solution in original post

1 REPLY 1

avatar
Rising Star

This Ranger feature provided in HDP2.6 (Ranger 0.7 and higher) for "macro substitution" supports general-purpose identification of patterns in the resource specification and replacing it during policy evaluation with other strings to derive the name of the resource.Therefore, it is an extensible scheme that is not restricted to replacement of {USER} with current user's name. While we offer {USER} and {OWNER} macros out of the box, this scheme can be customized by advanced Ranger users using interfaces provided: RangerContextEnricher, RangerAccessRequest and RangerConditionEvaluator. The {OWNER} macro is useful for databases and folders for example. To add such macros users would need to provide an implementation of RangerContextEnricher and RangerConditionEvaluator and include it in the service-definition before using this custom "macro" in any policy. For details of this feature and how it can be extended please see Apache Ranger wiki at: https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable

Building such extensions is for advanced Ranger users, therefore, the community has only provided the 2 most common use cases with {USER} and {OWNER} out of the box in Ranger.