[
https://issues.apache.org/jira/browse/RANGER-4023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Subhrat Chaudhary updated RANGER-4023:
--------------------------------------
Description:
We added the support for user/attribute based expressions in masking condition
in RANGER-3865 . When only the mask condition has an user/group attribute based
expression, RangerUserStoreEnricher is not enabled in plugin end.
Steps to reproduce (for Hive):
* Create a resource based access policy:
** Resources: database=testdb, table=employee, column=*
** Allow condition policy item: group=public, permissions=select
* Create a masking policy:
** Resources: database=testdb, table=employee, column=salary
** Allow condition policy item: group=public, permissions=select
** *Masking Option= Custom expression as below*
{code:java}
CASE WHEN id IN (${{USER.employee_id}}) THEN salary ELSE '0' END {code}
* Add following attributes to the user jack:
** *employee_id : 1,2*
* We have following data in Hive:
**
||id||name||salary||
|1|john|5600|
|2|jane|5300|
|3|jack|6700|
|4|harry|9500|
* When *select * from testdb.employee;* query is executed (as the user jack),
the expectation is {*}salary of the employee john and jane should be displayed
as it is, while for others it should be 0{*}. In actual result, salary of all
the employees is '0'.
* In plugin end, the RangerUserstore cache file userstore.json is not created.
was:
We added the support for user/attribute based expressions in masking condition
in RANGER-3865 . When only the mask condition has an user/group attribute based
expression, RangerUserStoreEnricher is not enabled in plugin end.
Steps to reproduce (for Hive):
* Create a resource based access policy:
** Resources: database=testdb, table=employee, column=*
** Allow condition policy item: group=public, permissions=select
* Create a masking policy:
** Resources: database=testdb, table=employee, column=salary
** Allow condition policy item: group=public, permissions=select
** {*}Masking Option= Custom ({*}{*}CASE WHEN id IN (${\{USER.employee_id}})
THEN salary ELSE '0' END{*}{*}){*}
* Add following attributes to the user jack:
** *employee_id : 1,2*
* We have following data in Hive:
**
||id||name||salary||
|1|john|5600|
|2|jane|5300|
|3|jack|6700|
|4|harry|9500|
* When *select * from testdb.employee;* query is executed (as the user jack),
the expectation is {*}salary of the employee john and jane should be displayed
as it is, while for others it should be 0{*}. In actual result, salary of all
the employees is '0'.
* In plugin end, the RangerUserstore cache file userstore.json is not created.
> UserStoreEnricher is not enabled if only mask conditon has attribute based
> expression
> -------------------------------------------------------------------------------------
>
> Key: RANGER-4023
> URL: https://issues.apache.org/jira/browse/RANGER-4023
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Subhrat Chaudhary
> Assignee: Subhrat Chaudhary
> Priority: Major
> Fix For: 3.0.0, 2.4.1
>
>
> We added the support for user/attribute based expressions in masking
> condition in RANGER-3865 . When only the mask condition has an user/group
> attribute based expression, RangerUserStoreEnricher is not enabled in plugin
> end.
> Steps to reproduce (for Hive):
> * Create a resource based access policy:
> ** Resources: database=testdb, table=employee, column=*
> ** Allow condition policy item: group=public, permissions=select
> * Create a masking policy:
> ** Resources: database=testdb, table=employee, column=salary
> ** Allow condition policy item: group=public, permissions=select
> ** *Masking Option= Custom expression as below*
> {code:java}
> CASE WHEN id IN (${{USER.employee_id}}) THEN salary ELSE '0' END {code}
> * Add following attributes to the user jack:
> ** *employee_id : 1,2*
> * We have following data in Hive:
> **
> ||id||name||salary||
> |1|john|5600|
> |2|jane|5300|
> |3|jack|6700|
> |4|harry|9500|
> * When *select * from testdb.employee;* query is executed (as the user
> jack), the expectation is {*}salary of the employee john and jane should be
> displayed as it is, while for others it should be 0{*}. In actual result,
> salary of all the employees is '0'.
> * In plugin end, the RangerUserstore cache file userstore.json is not
> created.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
