You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2021/03/28 12:03:00 UTC

[jira] [Created] (RANGER-3225) Hive plugin may not block updates when unmask policy exists

Quanlong Huang created RANGER-3225:
--------------------------------------

             Summary: Hive plugin may not block updates when unmask policy exists
                 Key: RANGER-3225
                 URL: https://issues.apache.org/jira/browse/RANGER-3225
             Project: Ranger
          Issue Type: Bug
          Components: plugins
    Affects Versions: 2.1.0, 1.2.0, 1.1.0, 0.7.1, 1.0.0, 0.6.3
            Reporter: Quanlong Huang


Per RANGER-1087 and RANGER-1100, table modifications(insert/delete/update) should be blocked when row-filter/column-masking policy is enabled for the user. However, when there are no row-filtering policies on the table, and there are both mask and unmask policies on the columns, updates may not be blocked.

The cause is we just check one column masking policy of the table, regardless whether it's an unmask (MASK_TYPE_NONE) policy:
{code:java}
// check if masking is enabled for any column in the table/view
request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
RangerAccessResult dataMaskResult = getDataMaskResult(request);
if (isDataMaskEnabled(dataMaskResult)) {
  // block the update
}{code}
[https://github.com/apache/ranger/blob/58b51a39ebe2e7dc4d253658e423f0afb6a74987/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L978-L982]

When the picked policy is an unmasked policy, isDataMaskEnabled() returns false on it.
{code:java}
private boolean isDataMaskEnabled(RangerAccessResult result) {
	return result != null && result.isMaskEnabled();
}{code}
Codes for RangerAccessResult#isMaskEnabled():
{code:java}
public boolean isMaskEnabled() {
	return StringUtils.isNotEmpty(this.getMaskType()) && !StringUtils.equalsIgnoreCase(this.getMaskType(), RangerPolicy.MASK_TYPE_NONE);
}
{code}
It's undeterminded which column masking policy will be matched. When re-creating some policies, or disabling and then re-enabling some policies, the result changes. In theory, we should check all column masking policies of the table until we find a real mask policy.

*How to reproduce*

Create a table with 3 columns (id int, name string, addr string). Add a redact policy on "name". Add an unmask policy on "id". Check whether updates will be blocked:
{code:sql}
explain authorization insert into table my_tbl values (0, 'foo', 'bar'); {code}
The result could be OK, or
{code:java}
Permission denied: user [admin] does not have [UPDATE] privilege on [default/my_tbl]{code}
cc [~madhan], [~jcamachorodriguez]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)