Thank you Madhan for your reply. This was helpful. Sent from my iPhone
> On 27-May-2020, at 8:42 PM, Madhan Neethiraj <mad...@apache.org> wrote: > > > Reetika, > > Policy priority/override was introduced in Ranger 1.1.0, via RANGER-2000 > (Policy effective dates to support time-bound and temporary authorization). > > While determining column-mask/row-filter to apply, Ranger policy engine > evaluates the policy-items in the order they appear in the policy, and picks > the first match. In your example, row-filter name=’NA’ will be applied since > that is the first match for user=admin. > > Hope this helps. > > Regards, > Madhan > > > From: reetika agrawal <agrawal.reetika...@gmail.com> > Reply-To: "user@ranger.apache.org" <user@ranger.apache.org> > Date: Wednesday, May 27, 2020 at 12:11 AM > To: "user@ranger.apache.org" <user@ranger.apache.org> > Subject: Re: Question on Ranger Hive Row filtering and Column Masking > > Hi Madhan, > Thank you for your reply. > > As you mentioned, when I tried creating multiple policies for the same > table/column I got the same error- > Error Code : 3010 Another policy already exists for matching resource: > policy-name=[testdb.testtable.col1], service=[test_hive] > > I don't see this option of overriding the policy though in my ranger, Is it > something which comes with the latest version of Ranger? I am using 0.7.1 > version of the ranger. > > Another question on Rowfiltering policy creation, If I have some policy > created something like below, > <image001.png> > Here in this case how WHERE clause restriction will be applied on custKey > column for user admin? Will it have custKey>300 AND custKey>100 or something > else? > > > > Thanks & Regards, > Reetika > > On Tue, May 26, 2020 at 10:39 PM Madhan Neethiraj <mad...@apache.org> wrote: > It should not be possible to create multiple column-masking policies for a > column. Attempt to create a second policy for a column should result in > following error: > Error Code : 3010 Another policy already exists for matching resource: > policy-name=[testdb.testtable.col1], service=[test_hive] > > Assuming you managed to create multiple such policies (perhaps by updating > the default Hive service-def – which is not recommended), policy priority > can be used to order the evaluation i.e. policies with ‘Override’ priority > will be evaluated before policies with ‘Normal’ priority. However, the order > of evaluation within a given priority cannot be controlled by the user. > > <image002.png> > > <image003.png> > > The same applies for row-filtering policies as well. > > Hope this helps. > > Madhan > > From: reetika agrawal <agrawal.reetika...@gmail.com> > Reply-To: "user@ranger.apache.org" <user@ranger.apache.org> > Date: Tuesday, May 26, 2020 at 6:54 AM > To: "user@ranger.apache.org" <user@ranger.apache.org> > Subject: Question on Ranger Hive Row filtering and Column Masking > > Hi, > I would like to know how ranger evaluates and apply column Masking policy if > there is more than one type of column masking policy defined for a given > column of a table? > > Ex- > Policy1 -> testable -> col1 -> Nulllify (Column masking) -> User1 > Policy2 -> testable -> col1 -> Nulllify (Hash) -> User1 > > Same question, for Row filtering as well, > Ex- > Policy1 -> testable -> No-filter appplied (Row filtering) -> User1 > Policy2 -> testable -> col1='A' (Row filtering) -> User1 > > In the above cases which policy will be honored in both the case of Column > masking and Row filtering? > If there is any document around it, could you please point to me that also. > > -- > Thanks, > Reetika Agrawal > > > -- > Thanks, > Reetika Agrawal
