I’m currently working on a plugin for a new database, but this is purely a usage question for Hive+Ranger hence user list as I’m comparing behaviour between the new code & a good example of an existing plugin - in this case, Hive.
* I have a resource based policy that allows public access to all tables * I can create a resource based masking policy for hive against a column in a table, and happily see a salary field redacted * I can create a tag based access control policy for hive where in Atlas I tag a particular hive column as ‘spi’, and in ranger I create a tag based policy (in a tag service used by the hive service… with tagsync active etc...) that denies access to anything tagged SPI Both working well :-) [Note I am executing the queries through Hive UI in ambari… and I set the config to execute the query as the end user.. logged in as raj_ops - the user I’m using) HOWEVER what I can’t seem to get working is a tag based masking policy. I am using the same resource & tag in atlas… so I’m sure that works… My policy is found under Access Manager->Service Manager->TagService Policies->Masking The policy is defined as Masking/32/MaskSPIData/Enabled/spi . Just single user (raj_ops), AccessType Hive(select), and masking option Redact However when I do a query no masking occurs. Audit is enabled, and I don’t see this policy id listed (32). Policies are being synced Hive - 1.2.1000 Atlas - 0.8.0 Ranger - 0.7.0 Any ideas? Have I missed something? Thanks Nigel.
