Privacera Platform master publication

Configure Policy with Attribute-Based Access Control

:

Privacera enables use of user, group, resource, classification, and the environment attributes in authorization policies. Attribute-Based Access Control (ABAC) makes it possible to express authorization policies without prior knowledge of specific resources or specific users, which helps avoid the need for new policies as new resources or users are introduced.

For more information, see How access policy enforcement works.

Overview

With the ABAC feature, you can configure resource policies based on user attributes from your LDAP or AD service.

You can assign attributes to users, groups and tags in policies. You can also implement logical conditions on the user attributes for the resource policies.

Attributes can be referenced using expressions, for example:

USER.employeeType != 'intern'
TAG.piiType == 'email'
TAG.sensitivityLevel <= USER.allowedSensitivityLevel

Attributes can be used to set up access control. For example, they can be used in row-filters, such as:

dept = ${{USER.dept}}
state in ( ${{GET_UG_ATTR_Q_CSV('state')}} )

Attributes can also be used in resource names, for example:

path: /home/${{USER._name}}
path: /departments/${{USER.dept}}
database: dept_${{USER.dept}}p

Ranger service-def update might be required to support conditions in policies. For example:

"policyConditions": [ 
  {
     "name":      "expression",
     "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
     "label":     "Enter boolean expression"
   }
]

User attributes are typically managed in LDAP, and synced to Privacera.

The Privacera Portal user interface enables you to view and add and update user and group attributes.

This section covers:

  • Supported connectors for ABAC

  • How to sync new users from Privacera Ranger through the UI.

  • How to enable ABAC for a resource policy through the CLI.

  • How to test ABAC for a resource policy.

Supported connectors for ABAC

ABAC is supported for the following data sources.

  • Databricks/EMR Hive, Spark, and all services using privacera_hive service definitions

  • PolicySync Snowflake

  • S3

Note

For Databricks and all Hive-based services, ABAC is supported without any additional configuration. However, ABAC for S3 requires configuration as described in this section.

Prerequisites

Ensure the following prerequisites are met:

  • Import the users from the LDAP or AD directory to the Privacera Ranger database.

    If you have not imported LDAP users yet, see LDAP / LDAP-S for Data Access User Synchronization for information.

  • Determine the resources you want to protect with ABAC-based policies.

Sync new users from Privacera Ranger

You need to add the new configuration in the resource policies to import only the new user entries from the Privacera Ranger database.

To add new configuration in the resource policies:

  1. Login to the Privacera portal.

  2. On the navigation menu, go to Access Management > Resource Policies.

  3. On the S3 service, click the edit button.

    s3.jpg

    The Add Service dialog will display.

  4. In the Add New Configurations text box, add userstore.download.auth.users as a key and asterisk (*) as a value, and then click Save.

    adds.jpg
Enable ABAC in a resource policy

You need to update the service definition to enable user ABAC in your service.

Below is an example of S3 for configuring service definition:

  1. To configure service definition for S3, run the following command:

    curl -sS -L -k -u <User_Name>:<Password> -H "Content-type: application/json" -H "Accept: application/json" -X GET http://<YOUR_INSTANCE_IP>:6080/service/public/v2/api/servicedef/name/s3

    You will get a response in the JSON format. In the response body, the values of the contextEnrichers and policyConditions will be blank.

    "policyConditions": [
    ],
    "contextEnrichers": [
    ],
    "enums": [],
    "dataMaskDef": {
        "maskTypes": [],
        "accessTypes": [],
        "resources": []
    },
    "rowFilterDef": {
        "accessTypes": [],
        "resources": []
    }
}

  2. Add the following policyConditions and contextEnrichers tags in the response body:

    "policyConditions": [{
        "itemId": 1,
        "name": "expression",
        "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
        "evaluatorOptions": {
            "ui.isMultiline": "true",
            "engineName": "JavaScript"
        },
        "label": "Enter Attribute condition",
        "description": "Attribute condition"
    }],
    "contextEnrichers": [{
            "itemId": 1,
            "name": "UserEnricher",
            "enricher": "org.apache.ranger.plugin.contextenricher.RangerUserStoreEnricher",
            "enricherOptions": {
                "userStoreRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerAdminUserStoreRetriever",
                "userStoreRefresherPollingInterval": "60000"
            }
        }]

  3. Save the document in the JSON format, such as update.json.

    Note

    Make sure that the update.json file format and tags are correct and properly aligned.

  4. To update the configuration, run the following command:

    curl -sS -L -k -u admin:welcome1 -H "Content-type: application/json" -H "Accept: application/json" -X PUT http://<YOUR_INSTANCE_IP>:6080/service/public/v2/api/servicedef/name/s3  -d @update.json

    In the response, you will get the updated JSON service definition.

Test ABAC in a resource policy

For testing, create two users with permissions to assume roles with the same tags. For example, “tony” and “odin” are the users. You can also use logical condition operator ('&&' and '||') which are allowed in the policy conditions expression.

To check available attributes for a user:

  1. Go to the Privacera Portal.

  2. Click Access Management > Users/Groups/Roles > Users.

  3. Search user name, and then select Attributes.

Use givenName as an Attribute

Below are the attributes for "tony" and "odin". The attribute givenName will be used to define access permissions in the resource policy.

User attributes for “tony”

newtony1.jpg

User attributes for “odin”

newodin.jpg

To edit an ABAC-based policy:

  1. Go to your service, and click your service type.

    stedit.jpg

    List of policies are displayed.

  2. Click editicon.jpg on the policy in which you want to add attributes for "tony".

  3. In the Bucket Name field, select the bucket in which you want to give access to “tony”.

    bname.jpg

  4. On the Allow Conditions section:

    • In the Select Group field, select public.

    • In the Policy Conditions field, click Add Conditions +, and then enter attribute conditions, such as givenName=="tony".

      pplus.jpg

  5. Click Save.

    Now, "tony" can access all the buckets:

    tonya.jpg

    But "odin" cannot access all the buckets which "tony" can, because we have not added user attributes for "odin" in the Policy Conditions.

    odina.jpg
Use a logical condition operator

If you want to add logical condition on the attributes of the resource policy, then do the following steps:

In the Policy Conditions field, click Add Conditions +, and then add the following logical condition operator for your attributes:

  • (sync_source=="ad") && (givenName=="tony"): Add this condition when both the attribute conditions to be validated and true.

  • (givenName=="tony") || (givenName=="odin") - Add this condition when only one of the attributes to be validated and true.