Feature Request: Tag-Based Access Control Policies for StarRocks Ranger Plugin #67458
Description
Feature request
Is your feature request related to a problem? Please describe.
Yes. The StarRocks Ranger plugin currently only supports resource-based policies, requiring administrators to create individual policies for each database, table, or column. This becomes unmanageable at scale - for example, protecting 500 tables containing PII data requires creating and maintaining 500 separate policies. When data classifications change or new tables are added, every related policy must be manually updated. This approach doesn't leverage metadata-driven governance and creates significant operational overhead compared to other Ranger-integrated services like Hive and HBase that support tag-based policies.
Describe the solution you'd like
Implement tag-based policy support in the StarRocks Ranger plugin, allowing policies to be defined based on data classification tags (e.g., "PII", "SENSITIVE", "CONFIDENTIAL") rather than individual resources. This would include: (1) integration with Ranger Tag Service to evaluate tag-based policies, (2) support for tag synchronization from Apache Atlas or manual tag management, (3) tag-based access control, masking, and row-level filtering, and (4) policy evaluation that respects both tag-based and resource-based policies while maintaining backward compatibility. A single policy like "Tag: PII → Mask for Analysts" would automatically apply to all tables tagged as PII, eliminating the need for per-table policies.
Describe alternatives you've considered
Current workarounds include: (1) Group-based access with LDAP - but this still requires resource-level policies and doesn't scale, (2) Naming conventions with wildcards (e.g., pii_* tables) - fragile and limited expressiveness, (3) Using Hive External Catalogs where tag-based policies work - but this only helps with external data, not StarRocks internal tables. These alternatives are insufficient for enterprise-scale data governance and regulatory compliance requirements.
Additional context
Tag-based policies are standard in modern data platforms (AWS Lake Formation, Azure Purview) and other Ranger-supported services (Hive, HBase, Atlas). This feature would enable: separation of concerns between data stewards (who classify data) and security admins (who define policies), automatic policy application to new resources when tagged, consistent governance across hybrid/multi-cloud environments, and simplified compliance with GDPR, CCPA, and HIPAA. Example: One "PII" tag policy protects 1000 tables vs. managing 1000 individual policies. This is critical for enterprise customers and competitive parity with other analytics platforms.