-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71171/
-----------------------------------------------------------
Review request for ranger and Madhan Neethiraj.
Bugs: RANGER-2521
https://issues.apache.org/jira/browse/RANGER-2521
Repository: ranger
Description
-------
Setup:
Zone Production includes:
Services: cm_hive, cm_tag
Resources: Hive table retail_demo.customers in cm_hive
Tag-based masking policy (#43): EMAIL_PII, group=public, access=select,
maskType=nullify
Unzoned includes:
Tag-based masking policy (#44): EMAIL_PII, group=public, access=select,
maskType=hash
Column retail_demo.customers.customer_email is tagged with EMAIL_PII
When retail_demo.customers.customer_email is accessed, audit log indicates that
access is granted by policy from Production zone, but masking is done by policy
from unzoned(default) zone. Masking should be done by policy in the Production
zone too.
The root cause is that ServicePolicies JSON is not correctly generated to
indicate that Production zone contains associated tag policy.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java
78296e236
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
990fc2bba
security-admin/src/main/resources/META-INF/jpa_named_queries.xml 328cf264c
Diff: https://reviews.apache.org/r/71171/diff/1/
Testing
-------
Tested with cluster to ensure that the policies downloaded to plugin have the
correct zone details.
Thanks,
Abhay Kulkarni
