[DOCS] Docs for using Marcos in row-level filter in Authz

[bowenliang123]

Code of Conduct

• I agree to follow this project's Code of Conduct

Search before asking

• I have searched in the issues and found no similar issues.

Which parts of the documentation do you think need improvement?

Support macros in Row-filter condition expression, introduced in Ranger 2.3 (release notes), is an major feature to significantly simplify the row-filter condition expression in practice by replacing explicit condition query by using user/group's attributes.

• RANGER-3605 : Support macros in row-filter/condition expressions
• RANGER-3550 : support for using user/tag attributes in row-filter expressions and conditions

Consider user liangtiancheng with attribute born_city = guangzhou, we can define the row filter condition with city='${{USER.born_city}}' with the macro feature.

However, This feature implicit relies on an config named ranger.plugin.spark.enable.implicit.userstore.enricher and the default value false will prevent RangerUserStoreEnricher fetching user/group and their attributes. Macros in row-filter condition will fallback to null value (as lack of user attributes value in UserStore of auth context) in script transformation unexpectedly and imperceptibly.

Improving doc of ranger-spark-security.xml to aware of this feature and related config.

Affects Version(s)

1.6.0

Improving the documentation

By adding the config suggestion here in AuthZ plugin docs of sample ranger-spark-security.xml in https://github.com/apache/incubator-kyuubi/blob/master/docs/security/authorization/spark/install.md

<property>
        <name>ranger.plugin.spark.enable.implicit.userstore.enricher</name>
        <value>true</value>
       <description>Enable UserStoreEnricher for fetching user and group attributes if using marcros or scripts in row-filters since Ranger 2.3</description>
</property>

<property>
        <name>ranger.plugin.hive.policy.cache.dir</name>
        <value>./a ranger hive service name/policycache</value>
       <description>policycache cache path of hive service def for caching UserStore , Tags, etc.</description>
</property>

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

[yaooqinn]

sounds nice.

[bowenliang123]

Will submit a PR when matured at proper time.

[pan3793]

Hi, @bowenliang123, changed to milestone 1.7.0 because the community are going to release 1.6.0 recently

[bowenliang123]

@pan3793 alright.
What is the release date scheduled for 1.6.0? If it is close to end of Auguest, I should be able to catch up with it and submit an pr this week. The enrichment is not about to modify any code implementation other than docs.

[pan3793]

Great, 1.6.0 is expected to be out in late Aug. or early Sept. Changed it back to 1.6.0.

[bowenliang123]

Still some uncertainties in using Ranger's policy marcos with user/group attrs to be clearify and verify. That's reason I have to take more time than I expected.

So far, user attrs work fine in macros with enabled UserStoreEnricher plus force updating UserStore version code in specific Rest API calling. But group attrs dont.

[bowenliang123]

@pan3793 PR #3267 is created for this issue. Please have a check if interested.

[bowenliang123]

@Ero98 FYI.

[pan3793]

Thanks @bowenliang123 I'm going to check it ASAP, also cc @zhouyifan279

[pan3793]

BTW, we can bump ranger version from 2.2.0 to 2.3.0, @bowenliang123 would you like to open PR for it?

[yikf]

BTW, we can bump ranger version from 2.2.0 to 2.3.0, @bowenliang123 would you like to open PR for it?

i'm interesed in this, will fill a title

[bowenliang123]

BTW, we can bump ranger version from 2.2.0 to 2.3.0, @bowenliang123 would you like to open PR for it?

Sure. But let's have further investigation to see what to improve the docs and key features.

On my side , I still have some uncertainties about policies on group and group attributes.