Skip to content

For conceptual background, see How Access Management Works.

Configuring Policy with Attribute-Based Access Control (ABAC)

With the ABAC feature, you can configure resource policies based on user attributes from your LDAP or AD service.

You can also implement logical conditions on the user attributes for the resource policies.

This section explains:

  • Supported connectors for ABAC
  • Prerequisites
  • How to sync new users from Privacera Ranger through the UI.
  • How to enable ABAC for a resource policy through the CLI.
  • How to test ABAC for a resource policy.

Supported Connectors for ABAC

ABAC is supported for the following data sources.

  • Databricks/EMR Hive, Spark, and all services using privacera_hive service definition
  • PolicySync Snowflake
  • S3

Note

For Databricks and all Hive-based services, ABAC is supported without any additional configuration. However, ABAC for S3 requires configuring as described in this documentation.

Prerequisites

Ensure the following prerequisites are met:

  • Import the users from the LDAP or AD directory to the Privacera Ranger database.

    If you have not imported the LDAP user yet, refer to the link to import the LDAP user LDAP / LDAP-S for Data Access User Synchronization.

  • Determine the resources you want to protect with ABAC-based policies.

Syncing New Users from Privacera Ranger

You need to add the new configuration in the resource policies to import only the new user entries from the Privacera Ranger database.

To add new configuration in the resource policies, do the following:

  1. Login to the Privacera portal.

  2. On the navigation menu, go to Access Management > Resource Policies.

  3. On the S3 service, click the edit button.

    The Add Service dialog will display.

  4. In the Add New Configurations text box, add userstore.download.auth.users as a key and asterisk (*) as a value, and then click Save.

Enabling ABAC in a Resource Policy

You need to update the service definition to enable user ABAC in your service.

Below is an example of S3 for configuring service definition:

  1. To configure service definition for S3, run the following command:

    curl -sS -L -k -u <User_Name>:<Password> -H "Content-type: application/json" -H "Accept: application/json" -X GET http://<YOUR_INSTANCE_IP>:6080/service/public/v2/api/servicedef/name/s3
    

    You will get a response in the JSON format. In the response body, the values of the contextEnrichers and policyConditions will be blank.

    "policyConditions": [
        ],
        "contextEnrichers": [
        ],
        "enums": [],
        "dataMaskDef": {
            "maskTypes": [],
            "accessTypes": [],
            "resources": []
        },
        "rowFilterDef": {
            "accessTypes": [],
            "resources": []
        }
    }
    
  2. Add the following policyConditions and contextEnrichers tags in the response body:

    "policyConditions": [{
            "itemId": 1,
            "name": "expression",
            "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
            "evaluatorOptions": {
                "ui.isMultiline": "true",
                "engineName": "JavaScript"
            },
            "label": "Enter Attribute condition",
            "description": "Attribute condition"
        }],
        "contextEnrichers": [{
                "itemId": 1,
                "name": "UserEnricher",
                "enricher": "org.apache.ranger.plugin.contextenricher.RangerUserStoreEnricher",
                "enricherOptions": {
                    "userStoreRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerAdminUserStoreRetriever",
                    "userStoreRefresherPollingInterval": "60000"
                }
            }]
    
  3. Save the document in the JSON format, such as update.json.

    Note

    Make sure that the update.json file format and tags are correct and properly aligned.

  4. To update the configuration, run the following command:

    curl -sS -L -k -u admin:welcome1 -H "Content-type: application/json" -H "Accept: application/json" -X PUT http://<YOUR_INSTANCE_IP>:6080/service/public/v2/api/servicedef/name/s3  -d @update.json
    

    In the response, you will get the updated JSON service definition.

Testing ABAC in a Resource Policy

For testing, create two users with permissions to assume roles with the same tags. For example, “tony” and “odin” are the users. You can also use logical condition operator ('&&' and '||') which are allowed in the policy conditions expression.

Use the following steps to check available attributes for user:

  1. Go to the Privacera Portal.

  2. Click Access Management > Users/Groups/Roles > Users.

  3. Search user name, and then select Attributes.

Using givenName as an Attribute

Below are the attributes for "tony" and "odin". The attribute givenName will be used to define access permissions in the resource policy.

User attributes for “tony”

User attributes for “odin”

Following are the steps to edit ABAC-based policy:

  1. Go to your service, and click your service type.

    List of policies are displayed.

  2. Click on the policy in which you want to add attributes for "tony".

  3. In the Bucket Name field, select the bucket in which you want to give access to “tony”.

  4. On the Allow Conditions section:

    • In the Select Group field, select public.

    • In the Policy Conditions field, click Add Conditions +, and then enter attribute conditions, such as givenName=="tony".

  5. Click Save.

    Now, "tony" can access all the buckets:

    But "odin" cannot access all the buckets which "tony" can, because we have not added user attributes for "odin" in the Policy Conditions.

Using Logical Condition Operator

If you want to add logical condition on the attributes of the resource policy, then do the following steps:

In the Policy Conditions field, click Add Conditions +, and then add the following logical condition operator for your attributes:

  • (sync_source=="ad") && (givenName=="tony"): Add this condition when both the attribute conditions to be validated and true.

  • (givenName=="tony") || (givenName=="odin") - Add this condition when only one of the attributes to be validated and true.