Repository: ranger
Updated Branches:
  refs/heads/master 8ea482af6 -> 662878d2d


RANGER-2066: Hbase column family access is authorized by a tagged column in the 
column family


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/662878d2
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/662878d2
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/662878d2

Branch: refs/heads/master
Commit: 662878d2dcd1ff67642eeeceb108f38ff23036ee
Parents: 8ea482a
Author: Abhay Kulkarni <akulka...@hortonworks.com>
Authored: Thu Apr 12 22:02:54 2018 -0700
Committer: Abhay Kulkarni <akulka...@hortonworks.com>
Committed: Thu Apr 12 22:02:54 2018 -0700

----------------------------------------------------------------------
 .../contextenricher/RangerTagEnricher.java      |  4 +-
 .../policyengine/RangerPolicyEngineImpl.java    | 18 ++++--
 ...angerDefaultDataMaskPolicyItemEvaluator.java |  8 +--
 .../RangerDefaultPolicyEvaluator.java           | 63 ++++++++++----------
 .../RangerDefaultPolicyItemEvaluator.java       | 19 +-----
 ...ngerDefaultRowFilterPolicyItemEvaluator.java |  8 +--
 .../policyevaluator/RangerPolicyEvaluator.java  |  3 +
 .../RangerPolicyItemEvaluator.java              |  3 +-
 .../test_policyengine_tag_hive.json             | 14 ++++-
 9 files changed, 71 insertions(+), 69 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/662878d2/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index 83d1280..b12d8ff 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -356,16 +356,18 @@ public class RangerTagEnricher extends 
RangerAbstractContextEnricher {
                                        if (request.isAccessTypeAny()) {
                                                isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
                                        } else if 
(request.getResourceMatchingScope() == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                                               isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
+                                               isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
                                        } else {
                                                isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR;
                                        }
+
                                        if (isMatched) {
                                                if (ret == null) {
                                                        ret = new HashSet<>();
                                                }
                                                
ret.addAll(getTagsForServiceResource(enrichedServiceTags.getServiceTags(), 
resourceMatcher.getServiceResource(), matchType));
                                        }
+
                                }
                        }
                }

http://git-wip-us.apache.org/repos/asf/ranger/blob/662878d2/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 5bce47b..7e157e7 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -393,13 +393,19 @@ public class RangerPolicyEngineImpl implements 
RangerPolicyEngine {
                                RangerPolicyResourceMatcher.MatchType matchType 
= tagMatchTypeMap != null ? tagMatchTypeMap.get(evaluator.getId()) : null;
 
                                if (matchType == null) {
-                                       // This evaluator is not tag evaluator
                                        matchType = 
evaluator.getPolicyResourceMatcher().getMatchType(request.getResource(), 
request.getContext());
-                                       if (matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT) {
-                                               // Need to skip this evaluator, 
if access-type were not ANY, in RangerDefaultPolicyEvaluator this will cause
-                                               // the evaluation to be skipped
-                                               continue;
-                                       }
+                               }
+
+                               final boolean isMatched;
+
+                               if (request.getResourceMatchingScope() == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+                                       isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
+                               } else {
+                                       isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR;
+                               }
+
+                               if (!isMatched) {
+                                       continue;
                                }
 
                                PolicyACLSummary aclSummary = 
evaluator.getPolicyACLSummary();

http://git-wip-us.apache.org/repos/asf/ranger/blob/662878d2/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
index bfdf581..557dd0a 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
@@ -42,18 +42,14 @@ public class RangerDefaultDataMaskPolicyItemEvaluator 
extends RangerDefaultPolic
        }
 
        @Override
-       public void updateAccessResult(RangerAccessResult result, 
RangerPolicyResourceMatcher.MatchType matchType, RangerPolicy policy) {
+       public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, 
RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
                RangerPolicyItemDataMaskInfo dataMaskInfo = getDataMaskInfo();
 
                if (dataMaskInfo != null) {
-                       result.setIsAllowed(true);
-                       result.setIsAccessDetermined(true);
-
                        result.setMaskType(dataMaskInfo.getDataMaskType());
                        
result.setMaskCondition(dataMaskInfo.getConditionExpr());
                        result.setMaskedValue(dataMaskInfo.getValueExpr());
-                       result.setPolicyPriority(policy.getPolicyPriority());
-                       result.setPolicyId(policyId);
+                       policyEvaluator.updateAccessResult(result, matchType, 
true, getComments());
                }
        }
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/662878d2/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 63fc468..46c409f 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -221,28 +221,21 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
 
                        if (!result.getIsAccessDetermined() || 
!result.getIsAuditedDetermined()) {
                                RangerPolicyResourceMatcher.MatchType matchType;
-                               final boolean isMatched;
 
                                if 
(RangerTagAccessRequest.class.isInstance(request)) {
                                        matchType = ((RangerTagAccessRequest) 
request).getMatchType();
-                                       if (matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT
-                                                       && 
!request.isAccessTypeAny()
-                                                       && 
request.getResourceMatchingScope() == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                                               if (LOG.isDebugEnabled()) {
-                                                       LOG.debug("Setting 
matchType from DESCENDANT to SELF, so that any DENY policy-items will take 
effect.");
-                                               }
-                                               matchType = 
RangerPolicyResourceMatcher.MatchType.SELF;
-                                       }
-                                       isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
                                } else {
                                        matchType = resourceMatcher != null ? 
resourceMatcher.getMatchType(request.getResource(), request.getContext()) : 
RangerPolicyResourceMatcher.MatchType.NONE;
-                                       if (request.isAccessTypeAny()) {
-                                               isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
-                                       } else if 
(request.getResourceMatchingScope() == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                                               isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
-                                       } else {
-                                               isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR;
-                                       }
+                               }
+
+                               final boolean isMatched;
+
+                               if (request.isAccessTypeAny()) {
+                                       isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
+                               } else if (request.getResourceMatchingScope() 
== RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+                                       isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
+                               } else {
+                                       isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR;
                                }
 
                                if (isMatched) {
@@ -462,20 +455,24 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
                return aclSummary;
        }
 
-       void updateAccessResult(RangerAccessResult result, 
RangerPolicyResourceMatcher.MatchType matchType, boolean isAllowed) {
-               if(!isAllowed) {
-                       if(matchType != 
RangerPolicyResourceMatcher.MatchType.DESCENDANT) {
+       @Override
+       public void updateAccessResult(RangerAccessResult result, 
RangerPolicyResourceMatcher.MatchType matchType, boolean isAllowed, String 
reason) {
+
+               if (!isAllowed) {
+                       if (matchType != 
RangerPolicyResourceMatcher.MatchType.DESCENDANT || 
!result.getAccessRequest().isAccessTypeAny()) {
                                result.setIsAllowed(false);
-                               
result.setPolicyPriority(getPolicy().getPolicyPriority());
+                               result.setPolicyPriority(getPolicyPriority());
                                result.setPolicyId(getId());
-                               //result.setReason(getComments());
+                               result.setReason(reason);
                        }
                } else {
-                       if(! result.getIsAllowed()) { // if access is not yet 
allowed by another policy
-                               result.setIsAllowed(true);
-                               
result.setPolicyPriority(getPolicy().getPolicyPriority());
-                               result.setPolicyId(getId());
-                               //result.setReason(getComments());
+                       if (matchType != 
RangerPolicyResourceMatcher.MatchType.DESCENDANT || 
result.getAccessRequest().isAccessTypeAny()) {
+                               if (!result.getIsAllowed()) { // if access is 
not yet allowed by another policy
+                                       result.setIsAllowed(true);
+                                       
result.setPolicyPriority(getPolicyPriority());
+                                       result.setPolicyId(getId());
+                                       result.setReason(reason);
+                               }
                        }
                }
        }
@@ -578,18 +575,22 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
                        LOG.debug("==> 
RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + 
", " + matchType + ")");
                }
                if (useAclSummaryForEvaluation && (getPolicy().getPolicyType() 
== null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
-                       LOG.info("Using ACL Summary for access evaluation. 
PolicyId=[" + getId() +"]");
+                       if (LOG.isDebugEnabled()) {
+                               LOG.debug("Using ACL Summary for access 
evaluation. PolicyId=[" + getId() + "]");
+                       }
                        Integer accessResult = 
lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), 
request.getAccessType());
                        if (accessResult != null) {
-                               updateAccessResult(result, matchType, 
accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED));
+                               updateAccessResult(result, matchType, 
accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED), null);
                        }
                } else {
-                       LOG.info("Using policyItemEvaluators for access 
evaluation. PolicyId=[" + getId() +"]");
+                       if (LOG.isDebugEnabled()) {
+                               LOG.debug("Using policyItemEvaluators for 
access evaluation. PolicyId=[" + getId() + "]");
+                       }
 
                        RangerPolicyItemEvaluator matchedPolicyItem = 
getMatchingPolicyItem(request, result);
 
                        if (matchedPolicyItem != null) {
-                               matchedPolicyItem.updateAccessResult(result, 
matchType, getPolicy());
+                               matchedPolicyItem.updateAccessResult(this, 
result, matchType);
                        }
                }
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/662878d2/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
index 312deef..a32322b 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
@@ -350,23 +350,10 @@ public class RangerDefaultPolicyItemEvaluator extends 
RangerAbstractPolicyItemEv
        }
 
        @Override
-       public void updateAccessResult(RangerAccessResult result, 
RangerPolicyResourceMatcher.MatchType matchType, RangerPolicy policy) {
-               if(getPolicyItemType() == 
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) {
-                       if(matchType != 
RangerPolicyResourceMatcher.MatchType.DESCENDANT) {
-                               result.setIsAllowed(false);
-                result.setPolicyPriority(policy.getPolicyPriority());
-                               result.setPolicyId(policyId);
-                               result.setReason(getComments());
-                       }
-               } else {
-                       if(! result.getIsAllowed()) { // if access is not yet 
allowed by another policy
-                               result.setIsAllowed(true);
-                result.setPolicyPriority(policy.getPolicyPriority());
-                               result.setPolicyId(policyId);
-                               result.setReason(getComments());
-                       }
-               }
+       public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, 
RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
+               policyEvaluator.updateAccessResult(result, matchType, 
getPolicyItemType() != RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY, 
getComments());
        }
+
        RangerPolicyConditionDef getConditionDef(String conditionName) {
                if(LOG.isDebugEnabled()) {
                        LOG.debug("==> 
RangerDefaultPolicyItemEvaluator.getConditionDef(" + conditionName + ")");

http://git-wip-us.apache.org/repos/asf/ranger/blob/662878d2/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
index a6cea95..26ded0e 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
@@ -42,16 +42,12 @@ public class RangerDefaultRowFilterPolicyItemEvaluator 
extends RangerDefaultPoli
        }
 
        @Override
-       public void updateAccessResult(RangerAccessResult result, 
RangerPolicyResourceMatcher.MatchType matchType, RangerPolicy policy) {
+       public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, 
RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
                RangerPolicyItemRowFilterInfo rowFilterInfo = 
getRowFilterInfo();
 
                if (rowFilterInfo != null) {
-                       result.setIsAllowed(true);
-                       result.setIsAccessDetermined(true);
-
                        result.setFilterExpr(rowFilterInfo.getFilterExpr());
-                       result.setPolicyPriority(policy.getPolicyPriority());
-                       result.setPolicyId(policyId);
+                       policyEvaluator.updateAccessResult(result, matchType, 
true, getComments());
                }
        }
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/662878d2/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index e3cd154..5400f71 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -43,6 +43,7 @@ import 
org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
 import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
 import 
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
+import 
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
 
 import static 
org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW;
 import static 
org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS;
@@ -107,6 +108,8 @@ public interface RangerPolicyEvaluator extends 
RangerPolicyResourceEvaluator {
 
        boolean isAccessAllowed(RangerPolicy policy, String user, Set<String> 
userGroups, String accessType);
 
+       void updateAccessResult(RangerAccessResult result, 
RangerPolicyResourceMatcher.MatchType matchType, boolean isAllowed, String 
reason);
+
        void getResourceAccessInfo(RangerAccessRequest request, 
RangerResourceAccessInfo result);
 
        PolicyACLSummary getPolicyACLSummary();

http://git-wip-us.apache.org/repos/asf/ranger/blob/662878d2/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
index be0ab7d..a6e24c6 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
@@ -24,7 +24,6 @@ import java.util.List;
 import java.util.Set;
 
 import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
-import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
@@ -66,5 +65,5 @@ public interface RangerPolicyItemEvaluator {
                        return Integer.compare(me.getEvalOrder(), 
other.getEvalOrder());
                }
        }
-       void updateAccessResult(RangerAccessResult result, 
RangerPolicyResourceMatcher.MatchType matchType, RangerPolicy policy);
+       void updateAccessResult(RangerPolicyEvaluator policyEvaluator, 
RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType);
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/662878d2/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
----------------------------------------------------------------------
diff --git 
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
index ef75887..79417a0 100644
--- 
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
+++ 
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
@@ -39,7 +39,10 @@
      
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
      "policyItems":[
        {"accesses":[{"type":"all","isAllowed":true}],"users":["hive", "user1", 
"user2"],"groups":["public"],"delegateAdmin":false}
-     ]
+     ],
+      "allowExceptions":[
+        
{"accesses":[{"type":"all","isAllowed":true}],"users":["testuser"],"groups":[],"delegateAdmin":false}
+      ]
     },
     {"id":102,"name":"db=*, udf=*: 
audit-all-access","isEnabled":true,"isAuditEnabled":true,
       "resources":{"database":{"values":["*"]},"udf":{"values":["*"]}},
@@ -219,6 +222,15 @@
   },
 
   "tests":[
+    {"name":"DENY 'select ssn from employee.personal;' for testuser using 
EXPIRES_ON tag with DESCENDANT match",
+      "request":{
+        "resource":{"elements":{"database":"employee", "table":"personal", 
"column":"ssn"}},
+        
"accessType":"select","user":"testuser","userGroups":[],"requestData":"select 
ssn from employee.personal;' for testuser",
+
+        "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", 
\"attributes\":{\"expiry_date\":\"2026-06-15T15:05:15.000Z\"}, 
\"matchType\":\"DESCENDANT\"}]"}
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+    },
     {"name":"ALLOW 'select ssn from employee.personal;' for user1 using 
EXPIRES_ON tag",
       "request":{
         "resource":{"elements":{"database":"employee", "table":"personal", 
"column":"ssn"}},

Reply via email to