ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Madhan Neethiraj (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-1796) Updated masking policy for hive to support for deny/allowException/denyExceptions
Date Mon, 25 Sep 2017 15:36:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-1796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16179181#comment-16179181
] 

Madhan Neethiraj commented on RANGER-1796:
------------------------------------------

bq. USER1, USER2 and USER3 belong to the user group GROUPA. Select GROUPA group when created
masking policy. The USER1 does not use masking and USER2, USER3 need masking.
[~peng.jianhua] - we thought about this use case and this can be handled today, without enabling
deny & exceptions - by having the policy-item for USER1 ahead of the policy-item for GROUPA.
For masking & row-filtering policies, the policy-items are evaluated in the order listed
in the policy and the first policy-item that matches the request will be applied. The policy-items
would be in the following order:
- user=USER1; maskType='No Mask'
- group=GROUPA; maskType='Partial Mask: show last 4'

It is not clear what a deny would mean for masking & row-filtering policies. Can you add
couple of usecases to understand the requirements?

> Updated masking policy for hive  to support for deny/allowException/denyExceptions
> ----------------------------------------------------------------------------------
>
>                 Key: RANGER-1796
>                 URL: https://issues.apache.org/jira/browse/RANGER-1796
>             Project: Ranger
>          Issue Type: New Feature
>          Components: plugins
>    Affects Versions: 1.0.0, master
>            Reporter: peng.jianhua
>            Assignee: peng.jianhua
>              Labels: newbie, patch
>         Attachments: 0001-RANGER-1796-Updated-masking-policy-for-hive-to-suppo.patch,
masking2.png
>
>
> Masking policy for hive  should support for deny/allowException/denyExceptions to meet
further business needs. Such as masking policy for hive should support as following scene
and so on:
> USER1, USER2 and USER3 belong to the user group GROUPA. Select GROUPA group when created
masking policy. The USER1 does not use masking and USER2, USER3 need masking.
> We rigorously tested this issue. The test result shows that the feature is ok.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message