It should not be possible to create multiple column-masking policies for a column. Attempt to create a second policy for a column should result in following error:
Error Code : 3010 Another policy already exists for matching resource: policy-name=[testdb.testtable.col1], service=[test_hive] Assuming you managed to create multiple such policies (perhaps by updating the default Hive service-def – which is not recommended), policy priority can be used to order the evaluation i.e. policies with ‘Override’ priority will be evaluated before policies with ‘Normal’ priority. However, the order of evaluation within a given priority cannot be controlled by the user. The same applies for row-filtering policies as well. Hope this helps. Madhan From: reetika agrawal <agrawal.reetika...@gmail.com> Reply-To: "user@ranger.apache.org" <user@ranger.apache.org> Date: Tuesday, May 26, 2020 at 6:54 AM To: "user@ranger.apache.org" <user@ranger.apache.org> Subject: Question on Ranger Hive Row filtering and Column Masking Hi, I would like to know how ranger evaluates and apply column Masking policy if there is more than one type of column masking policy defined for a given column of a table? Ex- Policy1 -> testable -> col1 -> Nulllify (Column masking) -> User1 Policy2 -> testable -> col1 -> Nulllify (Hash) -> User1 Same question, for Row filtering as well, Ex- Policy1 -> testable -> No-filter appplied (Row filtering) -> User1 Policy2 -> testable -> col1='A' (Row filtering) -> User1 In the above cases which policy will be honored in both the case of Column masking and Row filtering? If there is any document around it, could you please point to me that also. -- Thanks, Reetika Agrawal
