[jira] [Commented] (RANGER-1796) Updated masking policy for hive to support for deny/allowException/denyExceptions

Mon, 25 Sep 2017 08:36:13 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-1796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16179181#comment-16179181
 ] 

Madhan Neethiraj commented on RANGER-1796:
------------------------------------------

bq. USER1, USER2 and USER3 belong to the user group GROUPA. Select GROUPA group 
when created masking policy. The USER1 does not use masking and USER2, USER3 
need masking.
[~peng.jianhua] - we thought about this use case and this can be handled today, 
without enabling deny & exceptions - by having the policy-item for USER1 ahead 
of the policy-item for GROUPA. For masking & row-filtering policies, the 
policy-items are evaluated in the order listed in the policy and the first 
policy-item that matches the request will be applied. The policy-items would be 
in the following order:
- user=USER1; maskType='No Mask'
- group=GROUPA; maskType='Partial Mask: show last 4'

It is not clear what a deny would mean for masking & row-filtering policies. 
Can you add couple of usecases to understand the requirements?

> Updated masking policy for hive  to support for 
> deny/allowException/denyExceptions
> ----------------------------------------------------------------------------------
>
>                 Key: RANGER-1796
>                 URL: https://issues.apache.org/jira/browse/RANGER-1796
>             Project: Ranger
>          Issue Type: New Feature
>          Components: plugins
>    Affects Versions: 1.0.0, master
>            Reporter: peng.jianhua
>            Assignee: peng.jianhua
>              Labels: newbie, patch
>         Attachments: 
> 0001-RANGER-1796-Updated-masking-policy-for-hive-to-suppo.patch, masking2.png
>
>
> Masking policy for hive  should support for 
> deny/allowException/denyExceptions to meet further business needs. Such as 
> masking policy for hive should support as following scene and so on:
> USER1, USER2 and USER3 belong to the user group GROUPA. Select GROUPA group 
> when created masking policy. The USER1 does not use masking and USER2, USER3 
> need masking.
> We rigorously tested this issue. The test result shows that the feature is ok.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to