[ https://issues.apache.org/jira/browse/RANGER-3688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Madhan Neethiraj resolved RANGER-3688. -------------------------------------- Fix Version/s: 3.0.0 2.3.0 Resolution: Fixed master branch: {noformat} commit bd4461e245c0f6f1b154c57e1ba6ef1472e5e6e3 Author: Madhan Neethiraj <mad...@apache.org> Date: Tue Mar 29 14:06:21 2022 -0700 RANGER-3688: resource-based masking policy doesn't override tag-based policy {noformat} ranger-2.4 branch: {noformat} commit 79f4efc4396abb09befff5639281a6f757723a18 Author: Madhan Neethiraj <mad...@apache.org> Date: Tue Mar 29 14:06:21 2022 -0700 RANGER-3688: resource-based masking policy doesn't override tag-based policy (cherry picked from commit bd4461e245c0f6f1b154c57e1ba6ef1472e5e6e3) {noformat} > Resource based masking policy with override priority > ---------------------------------------------------- > > Key: RANGER-3688 > URL: https://issues.apache.org/jira/browse/RANGER-3688 > Project: Ranger > Issue Type: Bug > Components: plugins > Reporter: Madhan Neethiraj > Assignee: Madhan Neethiraj > Priority: Major > Fix For: 3.0.0, 2.3.0 > > > Apache Ranger policy model provides policy priority to override decisions > made by normal priority policies. This can be used to provide (temporary) > access to resources when another policy might deny access - for example: > * access to finance database is to be allowed only for users in > finance-users group; everyone else is should be denied access > * access to a subset of tables/columns in finance database should be allowed > for users in auditors group > Above requirement can be met by creating following 2 policies: > * policy #1: resource: \{ database=finance }, groups: [ finance ], > permissions: [ all ], isDenyAllElse: true > * policy #2: resource: \{ database=finance, table=audit* }, groups: [ > auditors ], permissions: [ select ], priority: override > > Such policy override works well for access requests, even across tag-based > and resource-based policies. However, for data-masking policies, the decision > made by a tag-based masking policy are not overridden by resource-based > policies with override priority. For example: > * tag-masking-policy #1: tag=SENSITIVE, group=analyst, maskType=redact, > priority=normal > * resource-masking-policy #2: resource: \{ database=customer, table=order, > column=amount }, groups: [ analyst ], maskType=none, priority=override > > Above policies should allow users in analyst group to see unmasked value of > customer.order.amount column, even when the column is tagged as SENSITIVE. > Currently users in analyst group will only see values with redact masking > applied. -- This message was sent by Atlassian Jira (v8.20.10#820010)