[jira] [Commented] (RANGER-1796) Updated masking policy for hive to support for deny/allowException/denyExceptions

Thu, 28 Sep 2017 02:42:14 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-1796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16183921#comment-16183921
 ] 

peng.jianhua commented on RANGER-1796:
--------------------------------------

Hi [~madhan.neethiraj],  I think that this change (to allow deny & exceptions 
for masking policies) is necessary. Because we have the following requirement 
in real business environment:
I masked for all groups except GROUPA and GROUPB group. At the same time I need 
also masked for USER1 user, which belong to the GROUPA group.

Now the ranger can not resolve above case. 

The above case can be resolved using this feature according to following steps:
a. Select 'public' group in 'Allow Conditions'. The 'public' group is a special 
group, it represents all the groups in Ranger.
b. Select 'GROUPB' group in "Exclude from Allow Conditions"
c. Select 'GROUPA' group in 'Deny Conditions'.
d. Select 'USER1' user in 'Exclude from Deny Conditions'. The 'USER1' belongs 
to 'GROUPA' group.
Please refer to usecase-02.png.

More complex logic can also be supported by this feature. The feature will not 
affect the existing function, it is the enhancement and improvement for the 
existing function.

> Updated masking policy for hive  to support for 
> deny/allowException/denyExceptions
> ----------------------------------------------------------------------------------
>
>                 Key: RANGER-1796
>                 URL: https://issues.apache.org/jira/browse/RANGER-1796
>             Project: Ranger
>          Issue Type: New Feature
>          Components: plugins
>    Affects Versions: 1.0.0, master
>            Reporter: peng.jianhua
>            Assignee: peng.jianhua
>              Labels: newbie, patch
>         Attachments: 
> 0001-RANGER-1796-Updated-masking-policy-for-hive-to-suppo.patch, 
> masking-03.png, masking2.png, usecase-01.png
>
>
> Masking policy for hive  should support for 
> deny/allowException/denyExceptions to meet further business needs. Such as 
> masking policy for hive should support as following scene and so on:
> USER1, USER2 and USER3 belong to the user group GROUPA. Select GROUPA group 
> when created masking policy. The USER1 does not use masking and USER2, USER3 
> need masking.
> We rigorously tested this issue. The test result shows that the feature is ok.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to