Re: Review Request 71171: RANGER-2521: Masking policies not picked from the zone of the accessed resource

Sun, 28 Jul 2019 19:55:42 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71171/#review216905
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On July 28, 2019, 11:01 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71171/
> -----------------------------------------------------------
> 
> (Updated July 28, 2019, 11:01 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-2521
>     https://issues.apache.org/jira/browse/RANGER-2521
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Setup:
> 
> Zone Production includes:
> 
>   Services: cm_hive, cm_tag
> 
>  Resources: Hive table retail_demo.customers in cm_hive
> 
>   Tag-based masking policy (#43): EMAIL_PII, group=public, access=select, 
> maskType=nullify
> 
>  
> 
> Unzoned includes:
> 
>   Tag-based masking policy (#44): EMAIL_PII, group=public, access=select, 
> maskType=hash
> 
>  
> 
> Column retail_demo.customers.customer_email is tagged with EMAIL_PII
> 
>  
> 
> When retail_demo.customers.customer_email is accessed, audit log indicates 
> that access is granted by policy from Production zone, but masking is done by 
> policy from unzoned(default) zone. Masking should be done by policy in the 
> Production zone too.
> 
> The root cause is that ServicePolicies JSON is not correctly generated to 
> indicate that Production zone contains associated tag policy.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 
> 78296e236 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> 990fc2bba 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 328cf264c 
> 
> 
> Diff: https://reviews.apache.org/r/71171/diff/1/
> 
> 
> Testing
> -------
> 
> Tested with cluster to ensure that the policies downloaded to plugin have the 
> correct zone details.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Reply via email to