Reetika,
Policy priority/override was introduced in Ranger 1.1.0, via RANGER-2000 (Policy effective dates to support time-bound and temporary authorization). While determining column-mask/row-filter to apply, Ranger policy engine evaluates the policy-items in the order they appear in the policy, and picks the first match. In your example, row-filter name=’NA’ will be applied since that is the first match for user=admin. Hope this helps. Regards, Madhan From: reetika agrawal <agrawal.reetika...@gmail.com> Reply-To: "user@ranger.apache.org" <user@ranger.apache.org> Date: Wednesday, May 27, 2020 at 12:11 AM To: "user@ranger.apache.org" <user@ranger.apache.org> Subject: Re: Question on Ranger Hive Row filtering and Column Masking Hi Madhan, Thank you for your reply. As you mentioned, when I tried creating multiple policies for the same table/column I got the same error- Error Code : 3010 Another policy already exists for matching resource: policy-name=[testdb.testtable.col1], service=[test_hive] I don't see this option of overriding the policy though in my ranger, Is it something which comes with the latest version of Ranger? I am using 0.7.1 version of the ranger. Another question on Rowfiltering policy creation, If I have some policy created something like below, Here in this case how WHERE clause restriction will be applied on custKey column for user admin? Will it have custKey>300 AND custKey>100 or something else? Thanks & Regards, Reetika On Tue, May 26, 2020 at 10:39 PM Madhan Neethiraj <mad...@apache.org> wrote: It should not be possible to create multiple column-masking policies for a column. Attempt to create a second policy for a column should result in following error: Error Code : 3010 Another policy already exists for matching resource: policy-name=[testdb.testtable.col1], service=[test_hive] Assuming you managed to create multiple such policies (perhaps by updating the default Hive service-def – which is not recommended), policy priority can be used to order the evaluation i.e. policies with ‘Override’ priority will be evaluated before policies with ‘Normal’ priority. However, the order of evaluation within a given priority cannot be controlled by the user. The same applies for row-filtering policies as well. Hope this helps. Madhan From: reetika agrawal <agrawal.reetika...@gmail.com> Reply-To: "user@ranger.apache.org" <user@ranger.apache.org> Date: Tuesday, May 26, 2020 at 6:54 AM To: "user@ranger.apache.org" <user@ranger.apache.org> Subject: Question on Ranger Hive Row filtering and Column Masking Hi, I would like to know how ranger evaluates and apply column Masking policy if there is more than one type of column masking policy defined for a given column of a table? Ex- Policy1 -> testable -> col1 -> Nulllify (Column masking) -> User1 Policy2 -> testable -> col1 -> Nulllify (Hash) -> User1 Same question, for Row filtering as well, Ex- Policy1 -> testable -> No-filter appplied (Row filtering) -> User1 Policy2 -> testable -> col1='A' (Row filtering) -> User1 In the above cases which policy will be honored in both the case of Column masking and Row filtering? If there is any document around it, could you please point to me that also. -- Thanks, Reetika Agrawal -- Thanks, Reetika Agrawal
