[
https://issues.apache.org/jira/browse/RANGER-1796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16180144#comment-16180144
]
peng.jianhua commented on RANGER-1796:
--------------------------------------
Hi [~madhan.neethiraj], You are right. I agree with your point of view. But I
think that there are as following:
The user must understand this theory and the logic behind the implementation of
this theory for Ranger. For ordinary users, I think this approach is too
abstract.
For this issue, we call it as a black and white list. This issue has the
following advantages:
1. Logic is clearer. The user can clearly complete the above usecase through
two steps. Firstly, Select GROUPA and set masking policy in 'Allow Conditions';
Secondly, Select USER1 in "Exclude from Allow Conditions". This directly
reflects the user's idea, that is, I desensitize other users outside of the
USER1 user in GROUPA group.
2. The ranger doesn't support following usecase now. It will be supported after
resolving the issue.
I desensitized for all groups except GROUPA group. And I also desensitize for
USER1 user, which belong to the GROUPA group. The steps for the usecase are as
following:
a. Select 'public' group in 'Allow Conditions'. The 'public' group is a special
group, it represents all the groups in Ranger.
b. Select 'GROUPA' group in 'Deny Conditions'.
c. Select 'USER1' user in 'Exclude from Deny Conditions'. The 'USER1' belongs
to 'GROUPA' group.
Please refer to usecase-01.png.
More complex logic can also be supported after resolving the issue.
> Updated masking policy for hive to support for
> deny/allowException/denyExceptions
> ----------------------------------------------------------------------------------
>
> Key: RANGER-1796
> URL: https://issues.apache.org/jira/browse/RANGER-1796
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
> Affects Versions: 1.0.0, master
> Reporter: peng.jianhua
> Assignee: peng.jianhua
> Labels: newbie, patch
> Attachments:
> 0001-RANGER-1796-Updated-masking-policy-for-hive-to-suppo.patch, masking2.png
>
>
> Masking policy for hive should support for
> deny/allowException/denyExceptions to meet further business needs. Such as
> masking policy for hive should support as following scene and so on:
> USER1, USER2 and USER3 belong to the user group GROUPA. Select GROUPA group
> when created masking policy. The USER1 does not use masking and USER2, USER3
> need masking.
> We rigorously tested this issue. The test result shows that the feature is ok.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
