[jira] [Closed] (IMPALA-13667) Nested mask_hash Calls with Ranger Data Masking in Impala

Wed, 12 Nov 2025 18:11:05 -0800 


     [ 
https://issues.apache.org/jira/browse/IMPALA-13667?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

woosuk.ro closed IMPALA-13667.
------------------------------
    Resolution: Fixed

> Nested mask_hash Calls with Ranger Data Masking in Impala
> ---------------------------------------------------------
>
>                 Key: IMPALA-13667
>                 URL: https://issues.apache.org/jira/browse/IMPALA-13667
>             Project: IMPALA
>          Issue Type: Question
>          Components: Frontend
>            Reporter: woosuk.ro
>            Priority: Minor
>
> h3. *Description*
> When a Ranger {{mask_hash}} policy is applied to a column in Impala, each 
> view that references that column triggers another call to {{{}mask_hash{}}}. 
> As a result, the column is hashed repeatedly, causing multiple nested 
> {{mask_hash}} operations instead of a single masking step.
> h3. *Steps to Reproduce*
> 1. In Ranger, apply a {{mask_hash}} policy to a column (e.g., 
> {{{}account_number{}}}) across a database.
> 2. Create a Base Table:
> {code:java}
> CREATE TABLE private_db.base_table (
>     account_number STRING,
>     other_column STRING
> );{code}
> 3. Create a View Referencing the Base Table:
> {code:java}
> CREATE VIEW private_db.base_view AS
> SELECT * FROM private_db.base_table;{code}
> 4. Query the View:
> {code:java}
> SELECT * FROM private_db.base_view;{code}
> 5. Observe the query plan or Ranger audit logs: multiple {{mask_hash}} calls 
> are stacked.
> h3. *Expected Behavior*
> {{mask_hash}} should apply once per column per query, regardless of view 
> layers.
> ----
> h3. *Actual Behavior*
> {{mask_hash}} is invoked multiple times (one for each view layer), causing 
> repeated hashing.
> *Ranger Audit Logs:*
> *1. private_db.base_view account_number column masking*
> {code:java}
> {
>     "access": "mask_hash",
>     "resource": "private_db/base_view/account_number",
>     "resType": "@column",
>     "reqData": "SELECT * FROM temp_db.secondary_view"
> }{code}
> *2. private_db.base_table account_number column masking*
> {code:java}
> {     
>     "access": "mask_hash",     
>     "resource": "private_db/base_table/account_number",     
>     "resType": "@column",     
>     "reqData": "SELECT * FROM temp_db.secondary_view" 
> }{code}
> *Environment*
>  - Impala: 4.4.0
>  - Ranger: 2.3.0
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to