[jira] [Created] (RANGER-3225) Hive plugin may not block updates when unmask policy exists

Sun, 28 Mar 2021 05:03:04 -0700 

Quanlong Huang created RANGER-3225:
--------------------------------------

             Summary: Hive plugin may not block updates when unmask policy 
exists
                 Key: RANGER-3225
                 URL: https://issues.apache.org/jira/browse/RANGER-3225
             Project: Ranger
          Issue Type: Bug
          Components: plugins
    Affects Versions: 2.1.0, 1.2.0, 1.1.0, 0.7.1, 1.0.0, 0.6.3
            Reporter: Quanlong Huang


Per RANGER-1087 and RANGER-1100, table modifications(insert/delete/update) 
should be blocked when row-filter/column-masking policy is enabled for the 
user. However, when there are no row-filtering policies on the table, and there 
are both mask and unmask policies on the columns, updates may not be blocked.

The cause is we just check one column masking policy of the table, regardless 
whether it's an unmask (MASK_TYPE_NONE) policy:
{code:java}
// check if masking is enabled for any column in the table/view
request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
RangerAccessResult dataMaskResult = getDataMaskResult(request);
if (isDataMaskEnabled(dataMaskResult)) {
  // block the update
}{code}
[https://github.com/apache/ranger/blob/58b51a39ebe2e7dc4d253658e423f0afb6a74987/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L978-L982]

When the picked policy is an unmasked policy, isDataMaskEnabled() returns false 
on it.
{code:java}
private boolean isDataMaskEnabled(RangerAccessResult result) {
        return result != null && result.isMaskEnabled();
}{code}
Codes for RangerAccessResult#isMaskEnabled():
{code:java}
public boolean isMaskEnabled() {
        return StringUtils.isNotEmpty(this.getMaskType()) && 
!StringUtils.equalsIgnoreCase(this.getMaskType(), RangerPolicy.MASK_TYPE_NONE);
}
{code}
It's undeterminded which column masking policy will be matched. When 
re-creating some policies, or disabling and then re-enabling some policies, the 
result changes. In theory, we should check all column masking policies of the 
table until we find a real mask policy.

*How to reproduce*

Create a table with 3 columns (id int, name string, addr string). Add a redact 
policy on "name". Add an unmask policy on "id". Check whether updates will be 
blocked:
{code:sql}
explain authorization insert into table my_tbl values (0, 'foo', 'bar'); {code}
The result could be OK, or
{code:java}
Permission denied: user [admin] does not have [UPDATE] privilege on 
[default/my_tbl]{code}
cc [~madhan], [~jcamachorodriguez]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to