Licensed under the Apache License, Version 2.0. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
Simply call NestedStructureAuthorizer.authorize()
to determine if the user has access to the JSON record and fields. The result will indicate if the user is authorized. The result also contains the JSON string the user is authorized view, for example by masking fields as specified in Apache Ranger policies.
String schema = "json_object.cxt.cmt.product.vnull3"; String userName = "beckma200"; Set<String> userGroups = new HashSet<>(); String jsonString = ...; AccessResult result = NestedStructureAuthorizer.getInstance().authorize(schema, userName, userGroups, jsonString, NestedStructureAccessType.READ); String authorizedJsonString = result.hasAccess() ? result.getJson() : null;
An example client is included at org.apache.ranger.authorization.nestedstructure.authorizer.ExampleClient
The classpath needs to contain 3 files, ranger-nestedstructure-audit.xml
, ranger-nestedstructure-policymgr-ssl.xml
, and ranger-nestedstructure-security.xml
. Each of these files need to edited in each deployment. Other required files do not need edits and are included in the jar file.
ranger-nestedstructure-security.xml
ranger.plugin.nestedstructure.policy.rest.url
should be set to the correct audit location (prod vs integration).ranger-nestedstructure-audit.xml
xasecure.audit.destination.solr.urls
should be set to the correct audit location (prod vs integration).ranger-nestedstructure-policymgr-ssl.xml
xasecure.policymgr.clientssl.keystore
should be set to location of the ranger-plugin-keystore.p12
file.xasecure.policymgr.clientssl.keystore.credential.file
should be set to the location of ranger.jceks
file.xasecure.policymgr.clientssl.truststore
should be set to location of the global-truststore.p12
file.xasecure.policymgr.clientssl.truststore.credential.file
should be set to the location of the ranger.jceks
file.{ "store": { "book": [ { "category": "reference", "author": "Nigel Rees", "title": "Sayings of the Century", "price": 8.95 }, { "category": "fiction", "author": "Evelyn Waugh", "title": "Sword of Honour", "price": 12.99 }, { "category": "fiction", "author": "Herman Melville", "title": "Moby Dick", "isbn": "0-553-21311-3", "price": 8.99 }, { "category": "fiction", "author": "J. R. R. Tolkien", "title": "The Lord of the Rings", "isbn": "0-395-19395-8", "price": 22.99 } ], "bicycle": { "color": "red", "price": 19.95 } }, "expensive": 10 }
Arrays require the user to specify that all elements of the array should be considered. The addition of an asterisk *
is required. To restrict by book price, specify one of the following values in Apache Ranger Policy for resource field
:
store.book[*]price < 100
store.book.*.price < 100
Simple dot .
syntax is all that is required. To restrict the color of the bicycle use in Ranger store.bicycle.color
Only primitive types (numbers, booleans, and strings) can be masked. Elements inside arrays and maps will be masked at a field level.
Note that at this time, masking a container is NOT possible. Each element has to be individually masked.
If the mask type is not applicable to the datatype, a default mask of NULL
will be used.
*
.-11111
x
x
null