[jira] [Updated] (RANGER-4291) If a ROW_FILTER type policy resources match, then an audit log record with Result=Denied is created

Fri, 16 Jun 2023 10:41:07 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-4291?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni updated RANGER-4291:
-----------------------------------
    Description: 
ROW_FILTER policies are supported for Hive service type. For a Hive resource 
being authorized, if a ROW_FILTERĀ  policy's resource-specification are matched 
but none of the policy-items match, then effectively the policy did not match. 
However, if the policy has audit enabled, then an audit log record is created 
with Access Type=ROW_FILTER and Result=Denied.

This is a spurious and misleading audit record, and it should not be generated.

  was:
ROW_FILTER (and DATA_MASKING) policies are supported for Hive service type. For 
a Hive resource being authorized, if a ROW_FILTER (or DATA_MASKING) policy's 
resource-specification are matched but none of the policy-items match, then 
effectively the policy did not match. However, if the policy has audit enabled, 
then an audit log record is created with Access Type=ROW_FILTER and 
Result=Denied.

This is a spurious and misleading audit record, and it should not be generated.


> If a ROW_FILTER type policy resources match, then an audit log record with 
> Result=Denied is created
> ---------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-4291
>                 URL: https://issues.apache.org/jira/browse/RANGER-4291
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Abhay Kulkarni
>            Assignee: Abhay Kulkarni
>            Priority: Major
>
> ROW_FILTER policies are supported for Hive service type. For a Hive resource 
> being authorized, if a ROW_FILTERĀ  policy's resource-specification are 
> matched but none of the policy-items match, then effectively the policy did 
> not match. However, if the policy has audit enabled, then an audit log record 
> is created with Access Type=ROW_FILTER and Result=Denied.
> This is a spurious and misleading audit record, and it should not be 
> generated.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to