[
https://issues.apache.org/jira/browse/RANGER-4827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Subhrat Chaudhary updated RANGER-4827:
--------------------------------------
Description:
Currently in GDS implementation, we have provision to ad row-filter and masking
expression in the RangerGds.RangerSharedResource. But these are not evaluated
during dataset policy evaluation. To extend the support of GDS in ranger, we
can add evaluation of row-filter and masking expressions.
There can be one complexity while evaluation of row-filter and masking
expressions for GDS:
For example: a dataset is linked with multiple SharedResource, with overlapping
resources and the SharedResource has row-filter or masking expression added. In
such case which expression should we consider for evaluation?
We need to address check and above issue.
----
Updates on the implementation approach:
Row filter
RangerGds.RangerSharedResource.rowFilter holds the row filter definition for
the SharedResource. The SharedResource can be associated with n number of
DataShare -> Dataset.
We have implement in following sequence:
1. Get all the row filter associated with the asked resource i.e traverse
through SharedResource > DataShare > Dataset associations.
2. Evaluate dataset policies for the resource (associated datasets) remove row
filter from the list, for which link dataset policy is not valid for the
current user.
3. After this if there are mulple row filters in the list, pick the first in
the list sorted in the dictionary order of the SharedResource name.
Mask
RangerGds.RangerSharedResource.subResourceMasks holds the mask definition for
the SharedResource. Also RangerGds.RangerDataShare.defaultTagMasks are defined
in the dataShare. The SharedResource can be associated with n number of
DataShare -> Dataset.
We have implement in following sequence:
1. Get all the masks associated with the asked resource i.e traverse through
SharedResource > DataShare > Dataset associations, with details like whether
mask is in sharedResource or dataShare
2. Evaluate dataset policies for the resource (associated datasets) remove
masks from the list, for which link dataset policy is not valid for the current
user.
3. After this if there are mulple row filters in the list, pick the first in
the list sorted in the dictionary order of the SharedResource name.
4. In case we have mask at both sharedResource and dataShare, the mask in
dataShare will be given priority.
was:
Currently in GDS implementation, we have provision to ad row-filter and masking
expression in the RangerGds.RangerSharedResource. But these are not evaluated
during dataset policy evaluation. To extend the support of GDS in ranger, we
can add evaluation of row-filter and masking expressions.
There can be one complexity while evaluation of row-filter and masking
expressions for GDS:
For example: a dataset is linked with multiple SharedResource, with overlapping
resources and the SharedResource has row-filter or masking expression added. In
such case which expression should we consider for evaluation?
We need to address check and above issue.
> Implement evaluation of row-filter and masking expression for GDS
> -----------------------------------------------------------------
>
> Key: RANGER-4827
> URL: https://issues.apache.org/jira/browse/RANGER-4827
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Reporter: Subhrat Chaudhary
> Priority: Major
>
> Currently in GDS implementation, we have provision to ad row-filter and
> masking expression in the RangerGds.RangerSharedResource. But these are not
> evaluated during dataset policy evaluation. To extend the support of GDS in
> ranger, we can add evaluation of row-filter and masking expressions.
> There can be one complexity while evaluation of row-filter and masking
> expressions for GDS:
> For example: a dataset is linked with multiple SharedResource, with
> overlapping resources and the SharedResource has row-filter or masking
> expression added. In such case which expression should we consider for
> evaluation?
> We need to address check and above issue.
>
> ----
> Updates on the implementation approach:
> Row filter
> RangerGds.RangerSharedResource.rowFilter holds the row filter definition for
> the SharedResource. The SharedResource can be associated with n number of
> DataShare -> Dataset.
> We have implement in following sequence:
> 1. Get all the row filter associated with the asked resource i.e traverse
> through SharedResource > DataShare > Dataset associations.
> 2. Evaluate dataset policies for the resource (associated datasets) remove
> row filter from the list, for which link dataset policy is not valid for the
> current user.
> 3. After this if there are mulple row filters in the list, pick the first in
> the list sorted in the dictionary order of the SharedResource name.
> Mask
> RangerGds.RangerSharedResource.subResourceMasks holds the mask definition for
> the SharedResource. Also RangerGds.RangerDataShare.defaultTagMasks are
> defined in the dataShare. The SharedResource can be associated with n number
> of DataShare -> Dataset.
> We have implement in following sequence:
> 1. Get all the masks associated with the asked resource i.e traverse through
> SharedResource > DataShare > Dataset associations, with details like whether
> mask is in sharedResource or dataShare
> 2. Evaluate dataset policies for the resource (associated datasets) remove
> masks from the list, for which link dataset policy is not valid for the
> current user.
> 3. After this if there are mulple row filters in the list, pick the first in
> the list sorted in the dictionary order of the SharedResource name.
> 4. In case we have mask at both sharedResource and dataShare, the mask in
> dataShare will be given priority.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
