Re: Can the resource 'column' only exist in the masking policies?

Eric Alton Wed, 27 Jun 2018 14:08:46 -0700

Thanks Ramesh. I'll try that out tomorrow.


Without column as a resource in the access policies, all policies are defined 
at the table level and so applicable to all columns.  I could grant a user 
select access on a table (which implies select on every column) and then have 
masks defined for individual columns.


Actually one workaround, if it were possible, would be to have column in the 
access policy but have it be read-only and initialized to the wild card 
character, *.


There's nothing special about my servicedef. In the top level resources I have 
schema and table. Under dataMaskDef->resources I have schema, table, and 
column. This is what they look like.


    "resources":[
        {
            "label":"Big SQL Schema",
            "rbKeyLabel":null,
            "rbKeyDescription":null,
            "itemId":1,
            "mandatory":true,
            "validationRegEx":"",
            "validationMessage":"",
            "uiHint":"",
            "rbKeyValidationMessage":null,
            "lookupSupported":true,
            "recursiveSupported":false,
            "excludesSupported":true,
            
"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions":
            {"wildCard":"true", "ignoreCase":"true"},
            "level":10,
            "description":"Big SQL Schema",
            "name":"schema",
            "parent":null,
            "type":"string"
        },

        {
            "label":"Big SQL Table",
            "rbKeyLabel":null,
            "rbKeyDescription":null,
            "itemId":2,
            "mandatory":true,
            "validationRegEx":"",
            "validationMessage":"",
            "uiHint":"",
            "rbKeyValidationMessage":null,
            "lookupSupported":true,
            "recursiveSupported":false,
            "excludesSupported":true,
            
"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions":
            {"wildCard":"true", "ignoreCase":"true"},
            "level":20,
            "description":"Big SQL Table",
            "name":"table",
            "parent":"schema",
            "type":"string"
        }

(and under dataMaskDef this one is added below Big SQL Table):

        {
            "label":"Big SQL Column",
            "rbKeyLabel":null,
            "rbKeyDescription":null,
            "itemId":3,
            "mandatory":true,
            "validationRegEx":"",
            "validationMessage":"",
            "uiHint":"",
            "rbKeyValidationMessage":null,
            "lookupSupported":false,
            "recursiveSupported":false,
            "excludesSupported":true,
            
"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions":{"wildCard":"true", "ignoreCase":"true"},
            "level":30,
            "description":"Big SQL Column",
            "name":"column",
            "parent":"table",
            "type":"string"
        }






________________________________
From: Ramesh Mani <rm...@hortonworks.com>
Sent: June 27, 2018 4:03 PM
To: user@ranger.apache.org
Subject: Re: Can the resource 'column' only exist in the masking policies?

Eric

Also in your ranger code base please bypassing these check and try?

https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java#L569
[https://avatars3.githubusercontent.com/u/47359?s=400&v=4]<https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java#L569>

apache/ranger<https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java#L569>
github.com
ranger - Mirror of Apache Ranger


https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java#L576

Regards,
Ramesh

From: Ramesh Mani <rm...@hortonworks.com<mailto:rm...@hortonworks.com>>
Date: Wednesday, June 27, 2018 at 12:34 PM
To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" 
<user@ranger.apache.org<mailto:user@ranger.apache.org>>
Subject: Re: Can the resource 'column' only exist in the masking policies?

Hello Eric,

Like Bosco mentioned, your scenario of having column resource enabled only for 
the data masking definition is not tested and also in hive plugin we expect the 
user to have atleast “select” access to the column in order for the column 
masking to be evaluated for that user.

So that means column level resource authorization checks has to  bypassed and 
go to data masking policy evaluation.  I strongly feel that we are looking for 
some code change on hive authorizer in that case.

Could you please share your service-def which you are evaluating if possible?

Thanks,
Ramesh

From: Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>>
Reply-To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" 
<user@ranger.apache.org<mailto:user@ranger.apache.org>>
Date: Tuesday, June 26, 2018 at 7:22 PM
To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" 
<user@ranger.apache.org<mailto:user@ranger.apache.org>>
Subject: Re: Can the resource 'column' only exist in the masking policies?


I looked in to the Hive Service Defination and it seems we have different set 
of resource type definitions for Access Policy and Masking. So ideally, 
whatever you are doing is supported by the Service Definition. It might be that 
your scenario might not have been tested.



Best way would be for you to just trace the code and see where you are getting 
the error.



Madhan or Ramesh who are more familiar with the code might have more insights.



Bosco





From: Eric Alton <sultanapea...@hotmail.com<mailto:sultanapea...@hotmail.com>>
Reply-To: <user@ranger.apache.org<mailto:user@ranger.apache.org>>
Date: Tuesday, June 26, 2018 at 7:18 PM
To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" 
<user@ranger.apache.org<mailto:user@ranger.apache.org>>
Subject: Re: Can the resource 'column' only exist in the masking policies?



I'm looking to add column masking to a custom plugin (Big SQL), and we do not 
have column level access policies.



________________________________

From: Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>>
Sent: June 26, 2018 5:27 PM
To: user@ranger.apache.org<mailto:user@ranger.apache.org>
Subject: Re: Can the resource 'column' only exist in the masking policies?



Are you using out of the box Hive Ranger Plugin? Or is it a custom Ranger 
plugin?



Bosco





From: Eric Alton <sultanapea...@hotmail.com<mailto:sultanapea...@hotmail.com>>
Reply-To: <user@ranger.apache.org<mailto:user@ranger.apache.org>>
Date: Tuesday, June 26, 2018 at 2:14 PM
To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" 
<user@ranger.apache.org<mailto:user@ranger.apache.org>>
Subject: Can the resource 'column' only exist in the masking policies?



Our Ranger plugin does not support column level access policies, but we want to 
support column masking. I've been playing around with the servicedef file, and 
can not get column to only appear in the masking policies. Is there a way to do 
this?



(top level) resources: schema is a parent of table

dataMaskDef->resources: schema is a parent of table. table is a parent of 
column.



The error I get when only listing column under dataMaskDef->resources is:

{"statusCode":1,"msgDesc":"resource with name: column does not 
exists","messageList":[{"name":"DATA_NOT_FOUND","rbKey":"xa.error.data_not_found","message":"Data
 not found"}]}

Re: Can the resource 'column' only exist in the masking policies?

Reply via email to