-
Notifications
You must be signed in to change notification settings - Fork 902
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOCS] Docs for using Marcos in row-level filter in Authz #3217
Comments
sounds nice. |
Will submit a PR when matured at proper time. |
Hi, @bowenliang123, changed to milestone 1.7.0 because the community are going to release 1.6.0 recently |
@pan3793 alright. |
Great, 1.6.0 is expected to be out in late Aug. or early Sept. Changed it back to 1.6.0. |
Still some uncertainties in using Ranger's policy marcos with user/group attrs to be clearify and verify. That's reason I have to take more time than I expected. So far, user attrs work fine in macros with enabled UserStoreEnricher plus force updating UserStore version code in specific Rest API calling. But group attrs dont. |
@Ero98 FYI. |
Thanks @bowenliang123 I'm going to check it ASAP, also cc @zhouyifan279 |
BTW, we can bump ranger version from 2.2.0 to 2.3.0, @bowenliang123 would you like to open PR for it? |
i'm interesed in this, will fill a title |
Sure. But let's have further investigation to see what to improve the docs and key features. On my side , I still have some uncertainties about policies on group and group attributes. |
### _Why are the changes needed?_ Support macros in Row-filter condition expression, introduced in Ranger 2.3 ([release notes](https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.3.0+-+Release+Notes)), is an major feature to significantly simplify the row-filter condition expression in practice by replacing explicit condition query by using user/group's attributes. - [RANGER-3605](https://issues.apache.org/jira/browse/RANGER-3605) : Support macros in row-filter/condition expressions - [RANGER-3550](https://issues.apache.org/jira/browse/RANGER-3550) : support for using user/tag attributes in row-filter expressions and conditions Consider user liangtiancheng with attribute born_city = guangzhou, we can define the row filter condition with city='${{USER.born_city}}' with the macro feature. However, This feature implicit relies on an config named `ranger.plugin.spark.enable.implicit.userstore.enricher` and the default value false will prevent RangerUserStoreEnricher fetching user/group and their attributes. Macros in row-filter condition will fallback to null value (as lack of user attributes value in UserStore of auth context) in script transformation unexpectedly and imperceptibly. Improving doc of ranger-spark-security.xml to aware of this feature and related config. ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #3267 from bowenliang123/doc-ranger-macros. Closes #3217 aee4b20 [liangbowen] plain text a7ec3bc [liangbowen] update docs and clearify difference between ranger.plugin.hive.policy.cache.dir and ranger.plugin.spark.policy.cache.dir configs 4887bd1 [liangbowen] simplify with "row filter expressions" fa62402 [liangbowen] skip list items 9dd1cd4 [liangbowen] h5. Using Marcos in Row Level Filters 849bed5 [liangbowen] add docs for Additional configs for using Marcos in row-level filter Authored-by: liangbowen <liangbowen@gf.com.cn> Signed-off-by: Kent Yao <yao@apache.org>
### _Why are the changes needed?_ Fix #3217 (comment) This pr aims to bump ranger version from 2.2.0 to 2.3.0 ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #3333 from Yikf/pr/3282. Closes #3333 07b35b9 [Cheng Pan] Update log4j2-test.xml 45a403b [yikf] [KYUUBI #3217][FOLLOWUP] Bump ranger version to 2.3.0 Lead-authored-by: yikf <yikaifei1@gmail.com> Co-authored-by: Cheng Pan <pan3793@gmail.com> Signed-off-by: Cheng Pan <chengpan@apache.org>
Code of Conduct
Search before asking
Which parts of the documentation do you think need improvement?
Support macros in Row-filter condition expression, introduced in Ranger 2.3 (release notes), is an major feature to significantly simplify the row-filter condition expression in practice by replacing explicit condition query by using user/group's attributes.
Consider user
liangtiancheng
with attributeborn_city
=guangzhou
, we can define the row filter condition withcity='${{USER.born_city}}'
with the macro feature.However, This feature implicit relies on an config named
ranger.plugin.spark.enable.implicit.userstore.enricher
and the default valuefalse
will preventRangerUserStoreEnricher
fetching user/group and their attributes. Macros in row-filter condition will fallback to null value (as lack of user attributes value inUserStore
of auth context) in script transformation unexpectedly and imperceptibly.Improving doc of
ranger-spark-security.xml
to aware of this feature and related config.Affects Version(s)
1.6.0
Improving the documentation
By adding the config suggestion here in AuthZ plugin docs of sample
ranger-spark-security.xml
in https://github.com/apache/incubator-kyuubi/blob/master/docs/security/authorization/spark/install.mdAnything else
No response
Are you willing to submit PR?
The text was updated successfully, but these errors were encountered: