Skip to content

Configuring Policy with Attribute-Based Access Control (ABAC)#

With the ABAC feature, you can configure resource policies based on user attributes from your LDAP or AD service.

You can also implement logical conditions on the user attributes for the resource policies.

This procedure contains:

  • Prerequisites

  • How to sync new users from Privacera Ranger through UI.

  • How to enable ABAC in a resource policy through CLI.

  • How to test ABAC in a resource policy.

Prerequisites#

Ensure the following prerequisites are met:

  • Import the users from the LDAP or AD directory to the Privacera Ranger database.

    If you have not imported the LDAP user yet, refer to the link to import the LDAP user LDAP / LDAP-S for Data Access User Synchronization.

  • Determine the resources you want to protect with ABAC-based policies.

Syncing New Users from Privacera Ranger#

You need to add the new configuration in the resource policies to import only the new user entries from the Privacera Ranger database.

To add new configuration in the resource policies, do the following:

  1. Login to Privacera portal.

  2. On the left nav, go to Access Management > Resource Policies.

  3. On the S3 service, click edit icon.

    Add Service dialog is displayed.

  4. In the Add New Configurations text box, add userstore.download.auth.users as a key and asterisk (*) as a value, and then click Save.

Enabling ABAC in a Resource Policy#

You need to update the service definition to enable user ABAC in your service.

Following is an example of S3 for configuring service definition:

  1. To configure service definition for S3, run the following command:

    curl -sS -L -k -u <User_Name>:<Password> -H "Content-type: application/json" -H "Accept: application/json" -X GET http://<YOUR_INSTANCE_IP>:6080/service/public/v2/api/servicedef/name/s3
    

    You will get a response in the JSON format. In the response body, the values of the contextEnrichers and policyConditions will be blank.

    "policyConditions": [
        ],
        "contextEnrichers": [
        ],
        "enums": [],
        "dataMaskDef": {
            "maskTypes": [],
            "accessTypes": [],
            "resources": []
        },
        "rowFilterDef": {
            "accessTypes": [],
            "resources": []
        }
    }
    
  2. Add the following policyConditions and contextEnrichers tags in the response body:

    "policyConditions": [{
            "itemId": 1,
            "name": "expression",
            "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
            "evaluatorOptions": {
                "ui.isMultiline": "true",
                "engineName": "JavaScript"
            },
            "label": "Enter Attribute condition",
            "description": "Attribute condition"
        }],
        "contextEnrichers": [{
                "itemId": 1,
                "name": "UserEnricher",
                "enricher": "org.apache.ranger.plugin.contextenricher.RangerUserStoreEnricher",
                "enricherOptions": {
                    "userStoreRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerAdminUserStoreRetriever",
                    "userStoreRefresherPollingInterval": "60000"
                }
            }]
    
  3. Save the document in the JSON format, such as update.json.

    Note

    Make sure that the update.json file format and tags are correct and properly aligned.

  4. To update the configuration, run the following command:

    curl -sS -L -k -u admin:welcome1 -H "Content-type: application/json" -H "Accept: application/json" -X PUT http://<YOUR_INSTANCE_IP>:6080/service/public/v2/api/servicedef/name/s3  -d @update.json
    

    In the response, you will get the updated JSON service definition.

Testing ABAC in a Resource Policy#

For testing, let's create two users with permissions to assume roles with the same tags. For example, “tony” and “odin” are the users. You can also use logical condition operator ('&&' and '||') which are allowed in the policy conditions expression.

Use the following steps to check available attributes for user:

  1. Go to the Privacera Portal.

  2. Click Access Management > Users/Groups/Roles > Users.

  3. Search user name, and then select Attributes.

Using givenName as an Attribute#

Following are the attributes for "tony" and "odin". The attribute givenName will be used to define access permissions in the resource policy.

User attributes for “tony”

User attributes for “odin”

Following are the steps to edit ABAC-based policy:

  1. Go to your service, and click your service type.

    List of policies are displayed.

  2. Click on the policy in which you want to add attributes for "tony".

  3. In the Bucket Name field, select the bucket in which you want to give an access to “tony”.

  4. On the Allow Conditions section:

    • In the Select Group filed, select public.

    • In the Policy Conditions field, click Add Conditions +, and then enter attribute conditions, such as givenName=="tony".

  5. Click Save.

    Now, "tony" can access all the buckets:

    But "odin" cannot access all the buckets which "tony" can, because we have not added user attributes for "odin" in the Policy Conditions.

Using Logical Condition Operator#

If you want to add logical condition on the attributes of the resource policy, then do the following steps:

In the Policy Conditions field, click Add Conditions +, and then add the following logical condition operator for your attributes:

  • (sync_source=="ad") && (givenName=="tony"): Add this condition when both the attribute conditions to be validated and true.

  • (givenName=="tony") || (givenName=="odin") - Add this condition when only one of the attributes to be validated and true.


Last update: August 24, 2021