[
https://issues.apache.org/jira/browse/RANGER-3688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj resolved RANGER-3688.
--------------------------------------
Fix Version/s: 3.0.0
2.3.0
Resolution: Fixed
master branch:
{noformat}
commit bd4461e245c0f6f1b154c57e1ba6ef1472e5e6e3
Author: Madhan Neethiraj <mad...@apache.org>
Date: Tue Mar 29 14:06:21 2022 -0700
RANGER-3688: resource-based masking policy doesn't override tag-based policy
{noformat}
ranger-2.4 branch:
{noformat}
commit 79f4efc4396abb09befff5639281a6f757723a18
Author: Madhan Neethiraj <mad...@apache.org>
Date: Tue Mar 29 14:06:21 2022 -0700
RANGER-3688: resource-based masking policy doesn't override tag-based policy
(cherry picked from commit bd4461e245c0f6f1b154c57e1ba6ef1472e5e6e3)
{noformat}
> Resource based masking policy with override priority
> ----------------------------------------------------
>
> Key: RANGER-3688
> URL: https://issues.apache.org/jira/browse/RANGER-3688
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
> Fix For: 3.0.0, 2.3.0
>
>
> Apache Ranger policy model provides policy priority to override decisions
> made by normal priority policies. This can be used to provide (temporary)
> access to resources when another policy might deny access - for example:
> * access to finance database is to be allowed only for users in
> finance-users group; everyone else is should be denied access
> * access to a subset of tables/columns in finance database should be allowed
> for users in auditors group
> Above requirement can be met by creating following 2 policies:
> * policy #1: resource: \{ database=finance }, groups: [ finance ],
> permissions: [ all ], isDenyAllElse: true
> * policy #2: resource: \{ database=finance, table=audit* }, groups: [
> auditors ], permissions: [ select ], priority: override
>
> Such policy override works well for access requests, even across tag-based
> and resource-based policies. However, for data-masking policies, the decision
> made by a tag-based masking policy are not overridden by resource-based
> policies with override priority. For example:
> * tag-masking-policy #1: tag=SENSITIVE, group=analyst, maskType=redact,
> priority=normal
> * resource-masking-policy #2: resource: \{ database=customer, table=order,
> column=amount }, groups: [ analyst ], maskType=none, priority=override
>
> Above policies should allow users in analyst group to see unmasked value of
> customer.order.amount column, even when the column is tagged as SENSITIVE.
> Currently users in analyst group will only see values with redact masking
> applied.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
