Hi Ramesh, I have got one more question here, [image: image.png] You mentioned about *name='NA' *will be picked up by Ranger policy engine in this case for Row filtering but what about row filtering policy on *custKey* column? How will that get evaluated here?
On Thu, May 28, 2020 at 9:06 AM <agrawal.reetika...@gmail.com> wrote: > Thank you Madhan for your reply. > This was helpful. > > Sent from my iPhone > > On 27-May-2020, at 8:42 PM, Madhan Neethiraj <mad...@apache.org> wrote: > > > > Reetika, > > > > Policy priority/override was introduced in Ranger 1.1.0, via RANGER-2000 > (Policy effective dates to support time-bound and temporary authorization). > > > > While determining column-mask/row-filter to apply, Ranger policy engine > evaluates the policy-items in the order they appear in the policy, and > picks the first match. In your example, row-filter name=’NA’ will be > applied since that is the first match for user=admin. > > > > Hope this helps. > > > > Regards, > > Madhan > > > > > > *From: *reetika agrawal <agrawal.reetika...@gmail.com> > *Reply-To: *"user@ranger.apache.org" <user@ranger.apache.org> > *Date: *Wednesday, May 27, 2020 at 12:11 AM > *To: *"user@ranger.apache.org" <user@ranger.apache.org> > *Subject: *Re: Question on Ranger Hive Row filtering and Column Masking > > > > Hi Madhan, > > Thank you for your reply. > > > > As you mentioned, when I tried creating multiple policies for the same > table/column I got the same error- > > Error Code : 3010 Another policy already exists for matching resource: > policy-name=[testdb.testtable.col1], service=[test_hive] > > > > I don't see this option of overriding the policy though in my ranger, Is > it something which comes with the latest version of Ranger? I am using > 0.7.1 version of the ranger. > > > > Another question on Rowfiltering policy creation, If I have some policy > created something like below, > > <image001.png> > > Here in this case how WHERE clause restriction will be applied on > *custKey* column for user admin? Will it have *custKey>300 AND > custKey>100* or something else? > > > > > > > > Thanks & Regards, > > Reetika > > > > On Tue, May 26, 2020 at 10:39 PM Madhan Neethiraj <mad...@apache.org> > wrote: > > It should not be possible to create multiple column-masking policies for a > column. Attempt to create a second policy for a column should result in > following error: > > Error Code : 3010 Another policy already exists for matching resource: > policy-name=[testdb.testtable.col1], service=[test_hive] > > > > Assuming you managed to create multiple such policies (perhaps by updating > the default Hive service-def – which is not recommended), policy priority > can be used to order the evaluation i.e. policies with ‘Override’ priority > will be evaluated before policies with ‘Normal’ priority. However, the > order of evaluation within a given priority cannot be controlled by the > user. > > > > <image002.png> > > > > <image003.png> > > > > The same applies for row-filtering policies as well. > > > > Hope this helps. > > > > Madhan > > > > *From: *reetika agrawal <agrawal.reetika...@gmail.com> > *Reply-To: *"user@ranger.apache.org" <user@ranger.apache.org> > *Date: *Tuesday, May 26, 2020 at 6:54 AM > *To: *"user@ranger.apache.org" <user@ranger.apache.org> > *Subject: *Question on Ranger Hive Row filtering and Column Masking > > > > Hi, > > I would like to know how ranger evaluates and apply column Masking policy > if there is more than one type of column masking policy defined for a given > column of a table? > > > > Ex- > > Policy1 -> testable -> col1 -> *Nulllify (Column masking)* -> User1 > > Policy2 -> testable -> col1 -> *Nulllify (Hash)* -> User1 > > > > Same question, for Row filtering as well, > > Ex- > > Policy1 -> testable -> *No-filter appplied (Row filtering)* -> User1 > > Policy2 -> testable -> *col1='A' (Row filtering) *-> User1 > > > > In the above cases which policy will be honored in both the case of Column > masking and Row filtering? > > If there is any document around it, could you please point to me that also. > > > > -- > > Thanks, > > Reetika Agrawal > > > > > -- > > Thanks, > > Reetika Agrawal > > -- Thanks, Reetika Agrawal
