This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.3 by this push:
     new 79f4efc  RANGER-3688: resource-based masking policy doesn't override 
tag-based policy
79f4efc is described below

commit 79f4efc4396abb09befff5639281a6f757723a18
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Tue Mar 29 14:06:21 2022 -0700

    RANGER-3688: resource-based masking policy doesn't override tag-based policy
    
    (cherry picked from commit bd4461e245c0f6f1b154c57e1ba6ef1472e5e6e3)
---
 .../RangerDefaultDataMaskPolicyItemEvaluator.java  |  8 ++++++-
 .../test_policyengine_tag_hive_mask.json           | 26 +++++++++++++++++++++-
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
index 5582124..f7e5f81 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
@@ -45,10 +45,16 @@ public class RangerDefaultDataMaskPolicyItemEvaluator 
extends RangerDefaultPolic
        public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, 
RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
                RangerPolicyItemDataMaskInfo dataMaskInfo = getDataMaskInfo();
 
-               if (result.getMaskType() == null && dataMaskInfo != null) {
+               if (dataMaskInfo != null) {
                        result.setMaskType(dataMaskInfo.getDataMaskType());
                        
result.setMaskCondition(dataMaskInfo.getConditionExpr());
                        result.setMaskedValue(dataMaskInfo.getValueExpr());
+                       result.setIsAccessDetermined(true);
+                       
result.setPolicyPriority(policyEvaluator.getPolicyPriority());
+                       result.setPolicyId(policyEvaluator.getId());
+                       result.setReason(getComments());
+                       
result.setPolicyVersion(policyEvaluator.getPolicy().getVersion());
+
                        policyEvaluator.updateAccessResult(result, matchType, 
true, getComments());
                }
        }
diff --git 
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
 
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
index a97bd2b..f2518b0 100644
--- 
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
+++ 
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
@@ -228,6 +228,18 @@
           "delegateAdmin": false
         }
       ]
+    },
+    { "id": 103, "name":  "masking: employee.personal.ssl - normal priority", 
"isEnabled":  true, "isAuditEnabled":  true, "policyType": 1, "policyPriority": 
0,
+      "resources": { "database": { "values": [ "employee" ] }, "table": { 
"values": [ "personal" ] }, "column": { "values": [ "ssn" ] } },
+      "dataMaskPolicyItems": [
+        { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ 
"user1" ], "dataMaskInfo": { "dataMaskType": "NONE" } }
+      ]
+    },
+    { "id": 104, "name":  "masking: employee.personal.ssl - override 
priority", "isEnabled":  true, "isAuditEnabled":  true, "policyType": 1, 
"policyPriority": 1,
+      "resources": { "database": { "values": [ "employee" ] }, "table": { 
"values": [ "personal" ] }, "column": { "values": [ "ssn" ] } },
+      "dataMaskPolicyItems": [
+        { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ 
"user3" ], "dataMaskInfo": { "dataMaskType": "NONE" } }
+      ]
     }
   ],
   "tagPolicyInfo": {
@@ -418,7 +430,8 @@
               }
             ],
             "users": [
-              "user2"
+              "user2",
+              "user3"
             ],
             "groups": [],
             "delegateAdmin": false,
@@ -472,6 +485,17 @@
       
"dataMaskResult":{"additionalInfo":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null},"policyId":1}
     },
     {
+      "name": "'select ssn from employee.personal;' for user3 - maskType=NONE 
(resource-policy override)",
+      "request": {
+        "resource": { "elements": { "database": "employee", "table": 
"personal", "column": "ssn" } },
+        "accessType": "select", "user": "user3", "requestData": "select ssn 
from employee.personal;' for user2",
+        "context": {
+          "TAGS": "[{\"type\":\"RESTRICTED\"}]"
+        }
+      },
+      
"dataMaskResult":{"additionalInfo":{"maskType":"NONE","maskCondition":null,"maskValue":null},"policyId":104}
+    },
+    {
       "name": "'select ssn from employee.personal;' for hive - maskType=NONE",
       "request": {
         "resource": {

Reply via email to