Subhrat Chaudhary created RANGER-4023:
-----------------------------------------
Summary: UserStoreEnricher is not enabled if mask conditon has
attribute based expression
Key: RANGER-4023
URL: https://issues.apache.org/jira/browse/RANGER-4023
Project: Ranger
Issue Type: Bug
Components: plugins
Reporter: Subhrat Chaudhary
Fix For: 3.0.0
We added the support for user/attribute based expressions in masking condition
in [#https://issues.apache.org/jira/browse/RANGER-3865] . When only the mask
condition has an user/group attribute based expression, RangerUserStoreEnricher
is not enabled in plugin end.
Steps to reproduce (for Hive):
* Create a resource based access policy:
** Resources: database=testdb, table=employee, column=*
** Allow condition policy item: group=public, permissions=select
* Create a masking policy:
** Resources: database=testdb, table=employee, column=salary
** Allow condition policy item: group=public, permissions=select
** *Masking Option= Custom (CASE WHEN id IN (${\{USER.employee_id}}) THEN
salary ELSE '0' END)*
* Add following attributes to the user jack:
** *employee_id : 1,2*
* We have following data in Hive:
**
||id||name||salary||
|1|john|5600|
|2|jane|5300|
|3|jack|6700|
|4|harry|9500|
* When *select * from testdb.employee;* query is executed, the expectation is
{*}salary of the employee john and jane should be displayed as it is, while for
others it should be 0{*}. In actual result, salary of all the employees i s'0'.
* In plugin end, the RangerUserstore cache file userstore.json is not created.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
