{USER} Variable
The variable {USER} can be used to autofill the accessing
user, for example:
In , choose .
In , enter
data_{USER}.
{USER} Variable Recommended Practices and Customizability
Ranger requires that string '{USER}' is used to represent accessing user as the user in the policy-item in a Ranger policy. However, Ranger provides flexible way of customizing the string that is used as shorthand to represent the accessing user's name in the policy resource specification. By default, Ranger policy resource specification expects characters '{' and '}' as delimiters for string 'USER', however, ranger supports customizable way of specifying delimiter characters, escaping those delimiters, and the string 'USER' itself by prefixing it with another, user-specified string on a per resource-level basis in the service definition of each component supported by Ranger.
For example, if for a certain HDFS installation, if the path names may contain '{' or '}' as valid characters, but not '%' character, then the service-definition for HDFS can be specified as:
"resources": [
{
"itemId": 1,
"name": "path",
"type": "path",
"level": 10,
"parent": "",
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": true,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
"matcherOptions": {"wildcard": true, "ignoreCase": false}, "replaceTokens":true, "tokenDelimiterStart":"%", "tokenDelimiterEnd":"%", "tokenDelimiterPrefix":"rangerToken:"}
"validationRegEx":"",
"validationMessage": "",
"uiHint":"",
"label": "Resource Path",
"description": "HDFS file or directory
path"
}
]Corresponding ranger policy for the use case for HDFS will be written as follow:
resource: path=/home/%rangerToken:USER%
user: {USER}
permissions: all, delegateAdmin=trueThe following customizable matcherOptions are available for this feature:
replaceTokens:trueif short-hand for user in resource-spec needs to be replaced at run-time with current-user's name;falseif the resource-spec needs to be interpreted as it is. Default value:true.tokenDelimiterStart: Identifies start character of short-hand for current-user in resource specification. Default value:{.tokenDelimiterEnd: Identifies end character of short-hand for current-user in resource specification. Default value:}.tokenDelimiterEscape: Identifies escape character for escapingtokenDelimiterStartortokenDelimiterEndvalues in resource specification. Default value:\.tokenDelimiterPrefix: Identifies special prefix which together with string 'USER' makes up short-hand for current-user's name in the resource specification. Default value: