[
https://issues.apache.org/jira/browse/RANGER-3688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-3688:
-------------------------------------
Description:
Apache Ranger policy model provides policy priority to override decisions made
by normal priority policies. This can be used to provide (temporary) access to
resources when another policy might deny access - for example:
* access to finance database is to be allowed only for users in finance-users
group; everyone else is should be denied access
* access to a subset of tables/columns in finance database should be allowed
for users in auditors group
Above requirement can be met by creating following 2 policies:
* policy #1: resource: \{ database=finance }, groups: [ finance ],
permissions: [ all ], isDenyAllElse: true
* policy #2: resource: \{ database=finance, table=audit* }, groups: [ auditors
], permissions: [ select ], priority: override
Such policy override works well for access requests, even across tag-based and
resource-based policies. However, for data-masking policies, the decision made
by a tag-based masking policy are not overridden by resource-based policies
with override priority. For example:
* tag-masking-policy #1: tag=SENSITIVE, group=analyst, maskType=redact,
priority=normal
* resource-masking-policy #2: resource: \{ database=customer, table=order,
column=amount }, groups: [ analyst ], maskType=none, priority=override
Above policies should allow users in analyst group to see unmasked value of
customer.order.amount column, even when the column is tagged as SENSITIVE.
Currently users in analyst group will only see values with redact masking
applied.
was:
Apache Ranger policy model provides policy priority to override decisions made
by normal priority policies. This can be used to provide (temporary) access to
resources when another policy might deny access - for example:
* access to finance database is to be allowed only for users in finance-users
group; everyone else is should be denied access
* access to a subset of tables/columns in finance database should be allowed
for users in auditors group
Above requirement can be met by creating following 2 policies:
* policy #1: resource: \{ database=finance }, groups: [ finance ],
permissions: [ all ], isDenyAllElse: true
* policy #2: resource: \{ database=finance, table=audit* }, groups: [ auditors
], permissions: [ select ], priority: override
Such policy override works well for access requests, even across tag-based and
resource-based policies. However, for data-masking policies, the decision made
by a tag-based masking policy are not overridden by resource-based policies
with override priority. For example:
* tag-masking-policy #1: tag=SENSITIVE, group=analyst, maskType=redact,
priority=normal
* resource-masking-policy #2: resource: \{ database=customer, table=order,
column=amount }, groups: [ analyst ], maskType=none, priority=normal
Above policies should allow users in analyst group to see unmasked value of
customer.order.amount column, even when the column is tagged as SENSITIVE.
Currently users in analyst group will only see values with redact masking
applied.
> Resource based masking policy with override priority
> ----------------------------------------------------
>
> Key: RANGER-3688
> URL: https://issues.apache.org/jira/browse/RANGER-3688
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Priority: Major
>
> Apache Ranger policy model provides policy priority to override decisions
> made by normal priority policies. This can be used to provide (temporary)
> access to resources when another policy might deny access - for example:
> * access to finance database is to be allowed only for users in
> finance-users group; everyone else is should be denied access
> * access to a subset of tables/columns in finance database should be allowed
> for users in auditors group
> Above requirement can be met by creating following 2 policies:
> * policy #1: resource: \{ database=finance }, groups: [ finance ],
> permissions: [ all ], isDenyAllElse: true
> * policy #2: resource: \{ database=finance, table=audit* }, groups: [
> auditors ], permissions: [ select ], priority: override
>
> Such policy override works well for access requests, even across tag-based
> and resource-based policies. However, for data-masking policies, the decision
> made by a tag-based masking policy are not overridden by resource-based
> policies with override priority. For example:
> * tag-masking-policy #1: tag=SENSITIVE, group=analyst, maskType=redact,
> priority=normal
> * resource-masking-policy #2: resource: \{ database=customer, table=order,
> column=amount }, groups: [ analyst ], maskType=none, priority=override
>
> Above policies should allow users in analyst group to see unmasked value of
> customer.order.amount column, even when the column is tagged as SENSITIVE.
> Currently users in analyst group will only see values with redact masking
> applied.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
