Support Questions

laura_ngo · ‎02-23-2018

Is it possible to reference more than one Atlas tag in one Ranger policy via the Policy Conditions?

I can set-up allow or deny tag policies, but would like to reference a combination of tags in the Policy Conditions on one policy. Is this possible?

Example

Let's say I have these 3 tags: (tenancy_component with some attributes, tenancy_xxx and tenancy_yyy).

{
  "classificationDefs":[
    {
      "createdBy": "Laura",
      "name": "tenancy_component",
      "description": "tenancy_component",
      "attributeDefs": [
      {
	   "name":"landing",
	   "typeName":"boolean",
	   "isOptional":"true",
	   "isUnique":"false",
	   "isIndexable":"true",
	   "cardinality":"SINGLE"
      },
	  {
	   "name":"staging",
	   "typeName":"boolean",
	   "isOptional":"true",
	   "isUnique":"false",
	   "isIndexable":"true",
	   "cardinality":"SINGLE"
      },
	  {
	   "name":"data_lake",
	   "typeName":"boolean",
	   "isOptional":"true",
	   "isUnique":"false",
	   "isIndexable":"true",
	   "cardinality":"SINGLE"
      }],
     "superTypes": []
    }
  ]
}

{
  "classificationDefs":[
    {
      "createdBy": "Laura",
      "name": "tenancy_xxx",
      "description": "tenancy_xxx",
      "attributeDefs": [
      {
      }],
     "superTypes": []
    },
	{
      "createdBy": "Laura",
      "name": "tenancy_yyy",
      "description": "tenancy_yyy",
      "attributeDefs": [
      {
      }],
     "superTypes": []
    }
  ]
}

I want to provide access (ABAC) to a role such that it doesn't have access to landing unless it is in tenancy xxx, it has access to the data lake for tenancy xxx but not yyy. The role only have access to staging if it is part of tenancy_yyy.

Database name	Tags	Access
db1	tenancy_xxx, tenancy_component.landing=true	Access
db2	tenancy_xxx, tenancy_component.staging=true	Deny
db3	tenancy_xxx, tenancy_component.data_lake=true	Access
db5	tenancy_yyy, tenancy_component.landing=true	Deny
db6	tenancy_yyy, tenancy_component.staging=true	Access
db7	tenancy_yyy, tenancy_component.data_lake=true	Deny
db7	tenancy_component.data_lake=true	Deny

How many tag policies should I have and how would I do it?

mneethiraj · ‎02-27-2018

Is it possible to reference more than one Atlas tag in one Ranger policy via the Policy Conditions?

Yes. Following can be used to access details of all tags associated with the resource being accessed:

ctx.getAllTagTypes() <== returns names of all tags associated with the resource (Set<String>)
ctx.getTagAttributes(tagType) <== returns attributes of given tag (Map<String, String>)
ctx.getAttributeValue(tagType, attrName) <== returns value of attribute 'attrName' in tagType tag

The usecase you describe seems to require access-control based on tenancy and the zone in which the data resides. Please consider the following approach:

1. Define a classification named 'DATA_ZONE', with one attribute named "name" - as shown below:

"classificationDefs": [
    {
      "name": "DATA_ZONE",
      "attributeDefs": [
        {
          "name":     "name",
          "typeName": "string"
        }
      ]
    }
  ]

2. Define one classification for each tenant. In your example, you already have 2 classifications "tenancy_xxx" and "tenancy_yyy".

3. Create one tag-based policy for each tenant. Per your example, you would create 2 policies - one for "tenancy_xxx" tag and another for "tenancy_yyy" tag.

4. In policy for each tenant, you can use conditions as shown below to allow/deny access to users/groups:

ctx.getAttributeValue("DATA_ZONE", "name").equals("landing")

ctx.getAttributeValue("DATA_ZONE", "name").equals("staging")

ctx.getAttributeValue("DATA_ZONE", "name").equals("data_lake")

View solution in original post

mneethiraj · ‎02-27-2018

Is it possible to reference more than one Atlas tag in one Ranger policy via the Policy Conditions?

Yes. Following can be used to access details of all tags associated with the resource being accessed:

ctx.getAllTagTypes() <== returns names of all tags associated with the resource (Set<String>)
ctx.getTagAttributes(tagType) <== returns attributes of given tag (Map<String, String>)
ctx.getAttributeValue(tagType, attrName) <== returns value of attribute 'attrName' in tagType tag

The usecase you describe seems to require access-control based on tenancy and the zone in which the data resides. Please consider the following approach:

1. Define a classification named 'DATA_ZONE', with one attribute named "name" - as shown below:

"classificationDefs": [
    {
      "name": "DATA_ZONE",
      "attributeDefs": [
        {
          "name":     "name",
          "typeName": "string"
        }
      ]
    }
  ]

2. Define one classification for each tenant. In your example, you already have 2 classifications "tenancy_xxx" and "tenancy_yyy".

3. Create one tag-based policy for each tenant. Per your example, you would create 2 policies - one for "tenancy_xxx" tag and another for "tenancy_yyy" tag.

4. In policy for each tenant, you can use conditions as shown below to allow/deny access to users/groups:

ctx.getAttributeValue("DATA_ZONE", "name").equals("landing")

ctx.getAttributeValue("DATA_ZONE", "name").equals("staging")

ctx.getAttributeValue("DATA_ZONE", "name").equals("data_lake")

laura_ngo · ‎02-28-2018

Thanks, @Madhan Neethiraj - that's very helpful indeed. And I like your suggestion about how to structure the Ranger policies - very logical.

I will try this out and will post back if I have any other queries about this.

laura_ngo · ‎03-04-2018

@Madhan Neethiraj

I'm having problems getting the tag policy to work. Here are the steps I've taken:

Disabled resource policies - holger_gov cannot select on default and foodmart database
Created a tag called tennant_xxx
Created a tag policy giving access to holger_gov if tag is tennant_xxx - so far so good as holger_gov now has select access
Created a tag called DATA_ZONE with attribute name (type string) and added to default and footmart database - one with a name = data_lake and one with name = staging
Added policy condition:

ctx.getAttributeValue("DATA_ZONE", "name").equals("data_lake")

But holger_gov can still select on both databases - I only want the data_lake one to be selectable.

I have tried various combinations to try to get it to work including the below, but to no avail. Any ideas?

if(ctx.getAttributeValue("DATA_ZONE", "name").equals("data_lake")) {
ctx.result = true;
} else {
ctx.result = false;
}

mneethiraj · ‎03-04-2018

@Laura Ngo - can you verify that no other policy allowed select access on footmart database for holger_gov (please look at Ranger audit log)?

laura_ngo · ‎03-05-2018

@Madhan Neethiraj - The Ranger Audit looks to me as though only policy 35 is being used. I've attached some screen prints. I'm not sure if it's relevant, but the Ranger Audit policy when clicked doesn't show the ',', although in the actual policy the ',' is still present.

mneethiraj · ‎03-05-2018

@Laura Ngo - I was able to reproduce the issue. The expression you entered is indeed correct:

ctx.getAttributeValue("DATA_ZONE","name").equals("data_lake")

However, when the policy is saved from UI, the entered expression is broken into multiple strings, causing the evaluation to fail at runtime. This is likely an issue with Ranger UI. I was able to get around this issue by updating the policies via REST API; if possible, please update the policies via REST API. I will update on the UI issue shortly.

laura_ngo · ‎03-05-2018

@Madhan Neethiraj - I've changed the Ranger policy via PUT service/public/v2/api/policy/35

"conditions": [
  {
"type": "expression",
"values": ["ctx.getAttributeValue('DATA_ZONE','name').equals('data_lake')"]
}
]
<br>

But I'm still not getting the desired behaviour - I would expect holger_gov to be denied access based on the below flow:

Here's a screenshot of the Ranger Audit

Could you perhaps paste the full output of your GET service/public/v2/api/policy/{i} policy so I can compare? Here's mine:

{"id": 35,
"guid": "1d7a6456-840d-4d1d-b5d5-7ec37d50eb8c",
"isEnabled": true,
"createdBy": "Admin",
"updatedBy": "Admin",
"createTime": 1520122079000,
"updateTime": 1520255099000,
"version": 22,
"service": "sandbox_tag",
"name": "tenancy_food",
"policyType": 0,
"description": "",
"resourceSignature": "5b2d59d4b57c1fa990c17143d54c89974270cf8e928f982e03c89055cbc69386",
"isAuditEnabled": true,
"resources": {"tag": {"values": [  "tenancy_food"
],


"isExcludes": false,
"isRecursive": false
}


},


"policyItems": [  {"accesses": [  {"type": "hive:select",
"isAllowed": true
},


  {"type": "hive:update",
"isAllowed": true
},


  {"type": "hive:create",
"isAllowed": true
},


  {"type": "hive:drop",
"isAllowed": true
},


  {"type": "hive:alter",
"isAllowed": true
},


  {"type": "hive:index",
"isAllowed": true
},


  {"type": "hive:lock",
"isAllowed": true
},


  {"type": "hive:all",
"isAllowed": true
},


  {"type": "hive:read",
"isAllowed": true
},


  {"type": "hive:write",
"isAllowed": true
},


  {"type": "hive:repladmin",
"isAllowed": true
},


  {"type": "hive:serviceadmin",
"isAllowed": true
}


],


"users": [  "holger_gov"
],


"groups": [],
"conditions": [  {"type": "expression",
"values": [  "ctx.getAttributeValue('DATA_ZONE','name').equals('data_lake')"
],


}


],


"delegateAdmin": false
}


],


"denyPolicyItems": [],
"allowExceptions": [],
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
}
<br>

mneethiraj · ‎03-05-2018

@Laura Ngo - the policy contents look right. Audit log shows the tag name in lower case - "data_zone". Please ensure that the tag name used in the condition is same as the one in Atlas.

laura_ngo · ‎03-05-2018

You are exactly right - thank you. Both the Atlas tag and the Ranger policy were in caps but I don't think Ranger Audit likes caps. I changed both to lower and the access is denied.

access-denied.png

Thanks so much for your help. (I've never been so happy to see an 'access denied' message!)

Cloudera Community

Support Questions

Is it possible to reference multiple tags in one Ranger tag policy via Policy Conditions?