Madhan Neethiraj created RANGER-3688:
----------------------------------------
Summary: Resource based masking policy with override priority
Key: RANGER-3688
URL: https://issues.apache.org/jira/browse/RANGER-3688
Project: Ranger
Issue Type: Bug
Components: plugins
Reporter: Madhan Neethiraj
Assignee: Madhan Neethiraj
Apache Ranger policy model provides policy priority to override decisions made
by normal priority policies. This can be used to provide (temporary) access to
resources when another policy might deny access - for example:
* access to finance database is to be allowed only for users in finance-users
group; everyone else is should be denied access
* access to a subset of tables/columns in finance database should be allowed
for users in auditors group
Above requirement can be met by creating following 2 policies:
* policy #1: resource: \{ database=finance }, groups: [ finance ],
permissions: [ all ], isDenyAllElse: true
* policy #2: resource: \{ database=finance, table=audit* }, groups: [ auditors
], permissions: [ select ], priority: override
Such policy override works well for access requests, even across tag-based and
resource-based policies. However, for data-masking policies, the decision made
by a tag-based masking policy are not overridden by resource-based policies
with override priority. For example:
* tag-masking-policy #1: tag=SENSITIVE, group=analyst, maskType=redact,
priority=normal
* resource-masking-policy #2: resource: \{ database=customer, table=order,
column=amount }, groups: [ analyst ], maskType=none
Above policies should allow users in auditors group to see unmasked value of
customer.order.amount column, even when the column is tagged as SENSITIVE.
Currently users in auditors group will only see values with redact masking
applied.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
