You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2017/06/12 18:53:37 UTC

ranger git commit: RANGER-1492: UI updates to support tag-based masking policies

Repository: ranger
Updated Branches:
  refs/heads/master f2c4f90f0 -> 5e82ed83c


RANGER-1492: UI updates to support tag-based masking policies

Signed-off-by: Madhan Neethiraj <ma...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/5e82ed83
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/5e82ed83
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/5e82ed83

Branch: refs/heads/master
Commit: 5e82ed83c4f6f360aefd2818c1485cb7dce2027c
Parents: f2c4f90
Author: Nitin Galave <ni...@gmail.com>
Authored: Mon Jun 12 17:57:31 2017 +0530
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Jun 12 11:17:35 2017 -0700

----------------------------------------------------------------------
 .../scripts/models/BackboneFormDataType.js      |   5 +-
 .../main/webapp/scripts/modules/XAOverrides.js  |   7 +-
 .../scripts/modules/globalize/message/en.js     |   2 +
 .../src/main/webapp/scripts/utils/XAUtils.js    |   7 +-
 .../scripts/views/policies/PermissionList.js    | 164 +++++++++++++++----
 .../views/policies/RangerPolicyCreate.js        |   6 +-
 .../scripts/views/policies/RangerPolicyForm.js  |  35 +++-
 .../views/policies/RangerPolicyTableLayout.js   |  22 ++-
 security-admin/src/main/webapp/styles/xa.css    |  11 ++
 .../main/webapp/templates/helpers/XAHelpers.js  |  16 +-
 .../templates/policies/PermissionItem.html      |   2 +-
 .../policies/RangerPolicyForm_tmpl.html         |  74 +++++----
 .../policies/RangerPolicyTableLayout_tmpl.html  |  10 +-
 13 files changed, 273 insertions(+), 88 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js b/security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js
index 1aace56..fee50f5 100644
--- a/security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js
+++ b/security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js
@@ -33,7 +33,10 @@ define(function(require) {
 			var getResourceConfigs = function(configs){
 				if(XAUtils.isMaskingPolicy(form.model.get('policyType'))){
 					if(XAUtils.isRenderMasking(form.rangerServiceDefModel.get('dataMaskDef'))){
-						configs = form.rangerServiceDefModel.get('dataMaskDef').resources;
+						var resources = form.rangerServiceDefModel.get('dataMaskDef').resources;
+						if(!_.isEmpty(resources)){
+							configs = form.rangerServiceDefModel.get('dataMaskDef').resources;
+						}
 						configs = _.map(configs, function(obj){ obj.type =  'string'; return obj; });
 						return configs;
 					}

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/modules/XAOverrides.js b/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
index 311ad0c..7d7a9d1 100644
--- a/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
+++ b/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
@@ -697,7 +697,7 @@
 	       **/
 	      
 	      var TagChecklist = function (options) {
-	          this.init('tagchecklist', options, TagChecklist.defaults);
+	    	  this.init('tagchecklist', options, TagChecklist.defaults);
 	      };
 
 	      $.fn.editableutils.inherit(TagChecklist, $.fn.editabletypes.list);
@@ -730,7 +730,7 @@
 	              $('<div>').append($selectComp).appendTo(this.$tpl);
 	              $table.append($tbody).appendTo(this.$tpl);
 	              
-	              this.$tpl.find('[data-id="selectComp"]').select2({width :'600px'}).on('change',function(e){
+	              this.$tpl.find('[data-id="selectComp"]').select2(this.options.select2option).on('change',function(e){
 	            	  
 	            	  if(!_.isUndefined(e.added)){
 	            		  that.addTr(e.added.text)
@@ -965,7 +965,8 @@
 	          @type string
 	          @default ','
 	          **/         
-	          separator: ','
+	          separator: ',',
+	          select2option : {}
 	      });
 
 	      $.fn.editabletypes.tagchecklist = TagChecklist;

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
index f47276c..4397721 100644
--- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
+++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
@@ -385,6 +385,7 @@ define(function(require) {
                 pleaseSelectGroup       : 'Please select group.',
                 addSelectedUserGroup	: 'Please add selected user/group to permissions else user/group will not be added.',
                 maskingPolicyInfoMsg   	: 'Please ensure that users/groups listed in this policy have access to the column via an <b>Access Policy</b>. This policy does not implicitly grant access to the column.',
+                maskingPolicyInfoMsgForTagBased   	: 'Please ensure that users/groups listed in this policy have access to the tag via an <b>Access Policy</b>. This policy does not implicitly grant access to the tag.',
                 rowFilterPolicyInfoMsg 	: 'Please ensure that users/groups listed in this policy have access to the table via an <b>Access Policy</b>. This policy does not implicitly grant access to the table.',
                 udfPolicyViolation      : '<b> Warning !!</b>  : UDF create is a privileged operation. Please make sure you grant them to only trusted users.',
                 noServiceToExport       :'No service found to export policies.',
@@ -396,6 +397,7 @@ define(function(require) {
                 plsSelectUserToSetVisibility :' Please select user to set visibility or selected user is already visible/hidden.',
                 plsSelectGroupToSetVisibility:' Please select group to set visibility or selected group is already visible/hidden.',
                 activationTimeDelayMsg       :'Policy activation time delayed by more than 1hr from last update time.',
+                pleaseSelectAccessTypeForTagMasking : 'Please select access type first to enable add masking options.'
  
 			},
 			plcHldr : {

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/scripts/utils/XAUtils.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
index 03e218d..56ac538 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
@@ -1261,8 +1261,8 @@ define(function(require) {
 		return type == XAEnums.RangerPolicyType.RANGER_MASKING_POLICY_TYPE.value ? true : false;
 	};
 	XAUtils.isRenderMasking = function(dataMaskDef){
-		return (!_.isUndefined(dataMaskDef) && !_.isUndefined(dataMaskDef.resources) 
-			&& dataMaskDef.resources.length > 0) ? true : false; 
+		return (!_.isUndefined(dataMaskDef) && !_.isUndefined(dataMaskDef.maskTypes) 
+			&& dataMaskDef.maskTypes.length > 0) ? true : false; 
 	};
 	XAUtils.isAccessPolicy = function(type){
 		return type == XAEnums.RangerPolicyType.RANGER_ACCESS_POLICY_TYPE.value ? true : false;
@@ -1335,5 +1335,8 @@ define(function(require) {
                         return '--';
                 }
         };
+        XAUtils.isTagBasedDef = function(def){
+        	return def.get('name') == XAEnums.ServiceType.SERVICE_TAG.label ? true : false;
+        }
 	return XAUtils;
 });
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
index 2bb4d8a..067bf3b 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
@@ -77,9 +77,9 @@ define(function(require) {
 		},
 
 		initialize : function(options) {
-                        _.extend(this, _.pick(options,'accessTypes','policyConditions','rangerServiceDefModel','rangerPolicyType'));
+            _.extend(this, _.pick(options,'accessTypes','policyConditions','rangerServiceDefModel','rangerPolicyType'));
 			this.setupPermissionsAndConditions();
-			
+			this.accessPermSetForTagMasking = false;
 		},
  
 		onRender : function() {
@@ -93,18 +93,18 @@ define(function(require) {
 			this.dropDownChange(this.ui.selectGroups);
 			this.dropDownChange(this.ui.selectUsers);
 			//render permissions and policy conditions
-			if(this.rangerServiceDefModel.get('name') == XAEnums.ServiceType.SERVICE_TAG.label){
-				this.renderPermsForTagBasedPolicies()
+			if(XAUtil.isTagBasedDef(this.rangerServiceDefModel)){
+				this.renderPermsForTagBasedPolicies();
+//				if(XAUtil.isMaskingPolicy(this.rangerPolicyType)) this.renderMaskingTypesForTagBasedPolicies();
 			} else {
 				this.renderPerms();
+				if(XAUtil.isMaskingPolicy(this.rangerPolicyType)){
+					this.renderMaskingType();
+				}
 			}
 			this.renderPolicyCondtion();
-			if(XAUtil.isMaskingPolicy(this.rangerPolicyType)){
-				this.renderMaskingType();
-			}
-			if(XAUtil.isRowFilterPolicy(this.rangerPolicyType)){
-				this.renderRowLevelFilter();
-			}
+				
+			if(XAUtil.isRowFilterPolicy(this.rangerPolicyType))	this.renderRowLevelFilter();
 			
 		},
 		setupFormForEditMode : function() {
@@ -241,8 +241,10 @@ define(function(require) {
 			this.perms =  _.map(this.accessTypes,function(m){return {text:m.label, value:m.name};});
 			this.perms.push({'value' : -1, 'text' : 'Select/Deselect All'});
 			//set default access type 'select' for add new masking & row filter policies
-			if(!XAUtil.isAccessPolicy(this.rangerPolicyType) && !_.contains(this.permsIds,'select')) {
-				this.permsIds.push('select');
+			if(this.perms.length == 2){
+				if(!_.isUndefined(this.perms[0].value) && _.isEmpty(this.permsIds)){
+					this.permsIds.push(this.perms[0].value);	
+				}
 			}
 			//create x-editable for permissions
 			this.ui.addPerms.editable({
@@ -308,25 +310,38 @@ define(function(require) {
 			this.ui.addPerms.attr('title','Components Permissions')
 			this.ui.delegatedAdmin.parent('td').hide();
 			this.perms =  _.map(this.accessTypes,function(m){return {text:m.label, value:m.name};});
-
+			//select defatult access type if single component exists
+			if(this.perms.length == 1 && this.permsIds.length >= 0){
+				this.permsIds.push(this.perms[0].value)
+			}
+			var select2optn = { width :'600px' };
+			if(XAUtil.isMaskingPolicy(this.rangerPolicyType)){
+				select2optn = {width :'600px' , maximumSelectionSize : 1 };
+			}
 			//create x-editable for permissions
 			this.ui.addPerms.editable({
 			    emptytext : 'Add Permissions',
 				source: this.perms,
 				value : this.permsIds,
+				select2option : select2optn,
 				placement : 'top',
 				showbuttons : 'bottom',
 				display: function(values,srcData) {
+					if(_.contains(values,"on"))	values = _.without(values,"on");
 					if(_.isNull(values) || _.isEmpty(values)){
 						$(this).empty();
 						that.model.unset('accesses');
 						that.ui.addPermissionsSpan.find('i').attr('class', 'icon-plus');
 						that.ui.addPermissionsSpan.attr('title','add');
+						//disable Masking option for tag based
+						if(XAUtil.isMaskingPolicy(that.rangerPolicyType)){
+							that.accessPermSetForTagMasking = false;
+							that.model.unset('dataMaskInfo');
+							that.renderMaskingTypesForTagBasedPolicies();
+							that.$el.find('input[data-id="maskTypeCustom"]').val("");
+						}
 						return;
 					}
-					if(_.contains(values,"on")){
-						values = _.without(values,"on")
-					}
 					//To remove selectall options
 					values = _.uniq(values);
 					if(values.indexOf("selectall") >= 0){
@@ -359,6 +374,14 @@ define(function(require) {
 					$(this).html(_.uniq(valArr).join(" "));
 					that.ui.addPermissionsSpan.find('i').attr('class', 'icon-pencil');
 					that.ui.addPermissionsSpan.attr('title','edit');
+					
+					//enabling add masking option for Tag-based
+					if(XAUtil.isMaskingPolicy(that.rangerPolicyType)){
+						that.accessPermSetForTagMasking = true;
+						var selectedComponent = _.map(items, function(m){ return m.type.substr(0,m.type.indexOf(":")); });
+						selectedComponent = _.uniq(selectedComponent);
+						that.renderMaskingTypesForTagBasedPolicies(selectedComponent)
+					}
 				},
 			}).on('hide',function(e){
 					$(e.currentTarget).parent().find('.tag-fixed-popover-wrapper').remove()
@@ -384,6 +407,91 @@ define(function(require) {
 			});
 			
 		},
+		renderMaskingTypesForTagBasedPolicies :function(accessTypeSelectedComp){
+			var that = this, perms = [];
+			this.ui.addPerms.attr('data-type','radiolist')
+			this.ui.addPerms.attr('title','Components Permissions')
+			this.ui.delegatedAdmin.parent('td').hide();
+			
+			var maskingTypes = this.rangerServiceDefModel.get('dataMaskDef').maskTypes;
+			//get selected components masking types
+			_.each(maskingTypes,function(m){
+				var compName = m.name.substr(0,m.name.indexOf(":"));
+				if($.inArray(compName, accessTypeSelectedComp) >= 0){
+					perms.push({text:m.label, value:m.name});
+				}
+			}, this);
+			var maskTypeVal =  [];
+			if(!_.isUndefined(this.model.get('dataMaskInfo')) && !_.isUndefined(this.model.get('dataMaskInfo').dataMaskType)){
+				maskTypeVal = this.model.get('dataMaskInfo').dataMaskType;
+				if(!_.isUndefined(accessTypeSelectedComp) && !_.isUndefined(maskTypeVal)){
+					maskTypeVal = $.inArray(maskTypeVal.substr(0,maskTypeVal.indexOf(":")), accessTypeSelectedComp) >= 0 ? maskTypeVal : [];
+				}
+			}
+			//Reset Add Masking Options
+			this.ui.maskingType.editable("setValue",null);
+			this.ui.maskingType.editable("destroy");
+			that.ui.addMaskingTypeSpan.unbind( "click" );
+			this.$el.find('input[data-id="maskTypeCustom"]').unbind( "change" );
+			that.ui.addMaskingTypeSpan.find('i').attr('class', 'icon-plus');
+			that.ui.addMaskingTypeSpan.attr('title','add');
+			this.$el.find('input[data-id="maskTypeCustom"]').css("display","none");
+			//create x-editable for permissions
+			this.ui.maskingType.editable({
+			    emptytext : 'Add Mask Type',
+				source: perms,
+				value : maskTypeVal,
+				placement : 'top',
+				showbuttons : 'bottom',
+				disabled : !this.accessPermSetForTagMasking,
+				display: function(value,srcData) {
+					if(_.isNull(value) || _.isUndefined(value) || _.isEmpty(value)){
+						$(this).empty();
+//						that.model.unset('accesses');
+						that.ui.addPermissionsSpan.find('i').attr('class', 'icon-plus');
+						that.ui.addPermissionsSpan.attr('title','add');
+						return;
+					}
+					
+					var obj = _.findWhere(srcData, {'value' : value } );
+					// Save form data to model
+					that.model.set('dataMaskInfo', {'dataMaskType': value });
+					//Custom dataMaskType
+					if(value.indexOf("CUSTOM") >= 0){
+						$(this).siblings('[data-id="maskTypeCustom"]').css("display","");
+					}else{
+						$(this).siblings('[data-id="maskTypeCustom"]').css("display","none");
+						$(this).siblings('[data-id="maskTypeCustom"]').val(" ");
+					}
+					
+					$(this).html("<span class='label label-info'>"+ value.substr(0,value.indexOf(":")).toUpperCase() +" : "
+							+ obj.text +"</span>");
+					that.ui.addMaskingTypeSpan.find('i').attr('class', 'icon-pencil');
+					that.ui.addMaskingTypeSpan.attr('title','edit');
+				},
+			}).on('hide',function(e){
+					$(e.currentTarget).parent().find('.tag-fixed-popover-wrapper').remove()
+			}).on('click', function(e) {
+				e.stopPropagation();
+				e.preventDefault();
+			});
+			that.ui.addMaskingTypeSpan.click(function(e) {
+				e.stopPropagation();
+				if(!that.accessPermSetForTagMasking){
+					XAUtil.alertPopup({ msg :localization.tt('msg.pleaseSelectAccessTypeForTagMasking') });
+					return;
+				}
+				that.$('a[data-js="maskingType"]').editable('toggle');
+			});
+			this.$el.find('input[data-id="maskTypeCustom"]').on('change', function(e){
+				if(!_.isUndefined(that.model.get('dataMaskInfo'))){
+					that.model.get('dataMaskInfo').valueExpr = e.currentTarget.value;
+				}
+			}).trigger('change');
+			if(!this.accessPermSetForTagMasking){
+				that.ui.maskingType.html('Add Mask Type');
+			}
+		},
 		clickOnPermissions : function(that) {
 			var selectAll = true;
 			var checklist = that.$('.editable-checklist').find('input[type="checkbox"]')
@@ -699,21 +807,20 @@ define(function(require) {
 		},
 		getPermHeaders : function(){
 			var permList = [];
-			if(this.rangerServiceDefModel.get('name') != XAEnums.ServiceType.SERVICE_TAG.label){
-				if(XAUtil.isAccessPolicy(this.rangerPolicyType)){
+			if(XAUtil.isAccessPolicy(this.rangerPolicyType) ){
+				if(this.rangerServiceDefModel.get('name') != XAEnums.ServiceType.SERVICE_TAG.label){
 					permList.unshift(localization.tt('lbl.delegatedAdmin'));
-				}
-				if(XAUtil.isRowFilterPolicy(this.rangerPolicyType)){
-					permList.unshift(localization.tt('lbl.rowLevelFilter'));
-					permList.unshift(localization.tt('lbl.accessTypes'));
-				}else if(XAUtil.isMaskingPolicy(this.rangerPolicyType)){
-					permList.unshift(localization.tt('lbl.selectMaskingOption'));
-					permList.unshift(localization.tt('lbl.accessTypes'));
-				}else{
 					permList.unshift(localization.tt('lbl.permissions'));
+				}else{
+					permList.unshift(localization.tt('lbl.componentPermissions'));
 				}
-			} else {
-				permList.unshift(localization.tt('lbl.componentPermissions'));
+			}
+			if(XAUtil.isRowFilterPolicy(this.rangerPolicyType)){
+				permList.unshift(localization.tt('lbl.rowLevelFilter'));
+				permList.unshift(localization.tt('lbl.accessTypes'));
+			}else if(XAUtil.isMaskingPolicy(this.rangerPolicyType)){
+				permList.unshift(localization.tt('lbl.selectMaskingOption'));
+				permList.unshift(localization.tt('lbl.accessTypes'));
 			}
 			
 			if(!_.isEmpty(this.rangerServiceDefModel.get('policyConditions'))){
@@ -736,6 +843,7 @@ define(function(require) {
 					this.accessTypes =  _.map(rowFilterDef.accessTypes, function(m){return _.findWhere(this.accessTypes, {'name' : m.name });}, this);
 				}
 			}
+			
 		},
 		makePolicyItemSortable : function(){
 			var that = this, draggedModel;

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js
index 728e5bf..df13b7c 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js
@@ -45,7 +45,11 @@ define(function(require){
     	templateHelpers : function(){
 		var infoMsg = '', displayClass = 'hide';
 		if(XAUtil.isMaskingPolicy(this.model.get('policyType'))){
-			infoMsg = localization.tt('msg.maskingPolicyInfoMsg'), displayClass = 'show';
+			if(XAUtil.isTagBasedDef(this.rangerServiceDefModel)){
+				infoMsg = localization.tt('msg.maskingPolicyInfoMsgForTagBased'), displayClass = 'show';	
+			}else{
+				infoMsg = localization.tt('msg.maskingPolicyInfoMsg'), displayClass = 'show';
+			}
 		}else if(XAUtil.isRowFilterPolicy(this.model.get('policyType'))){
 			infoMsg = localization.tt('msg.rowFilterPolicyInfoMsg'), displayClass = 'show';
 		}

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
index ff62bb2..403e23c 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
@@ -216,7 +216,11 @@ define(function(require){
 				this.selectedResourceTypes = {};
 				var resourceDefList = this.rangerServiceDefModel.get('resources');
 				if(XAUtil.isMaskingPolicy(this.model.get('policyType')) && XAUtil.isRenderMasking(this.rangerServiceDefModel.get('dataMaskDef'))){
-					resourceDefList = this.rangerServiceDefModel.get('dataMaskDef').resources;
+					if(!_.isEmpty(this.rangerServiceDefModel.get('dataMaskDef').resources)){
+						resourceDefList = this.rangerServiceDefModel.get('dataMaskDef').resources;
+					}else{
+						resourceDefList = this.rangerServiceDefModel.get('resources');
+					}
 				}
 				_.each(this.model.get('resources'),function(obj,key){
 					var resourceDef = _.findWhere(resourceDefList,{'name':key}),
@@ -270,7 +274,7 @@ define(function(require){
                                 rangerPolicyType : that.model.get('policyType')
                         }).render().el);
 						
-                        if( enableDenyAndExceptionsInPolicies ){
+                        if( enableDenyAndExceptionsInPolicies && !XAUtil.isMaskingPolicy(that.model.get('policyType')) ){
                                 that.$('[data-customfields="groupPermsAllowExclude"]').html(new PermissionList({
                                         collection : that.formInputAllowExceptionList,
                                         model 	   : that.model,
@@ -366,7 +370,11 @@ define(function(require){
 			//Check for masking policies
 			var resourceDef = this.rangerServiceDefModel.get('resources');
 			if(XAUtil.isMaskingPolicy(this.model.get('policyType')) && XAUtil.isRenderMasking(this.rangerServiceDefModel.get('dataMaskDef'))){
-				resourceDef = this.rangerServiceDefModel.get('dataMaskDef').resources;
+				if(!_.isEmpty(this.rangerServiceDefModel.get('dataMaskDef').resources)){
+					resourceDef = this.rangerServiceDefModel.get('dataMaskDef').resources;
+				}else{
+					resourceDef = this.rangerServiceDefModel.get('resources');
+				}
 			}
 			if(XAUtil.isRowFilterPolicy(this.model.get('policyType')) && XAUtil.isRenderRowFilter(this.rangerServiceDefModel.get('rowFilterDef'))){
 				resourceDef = this.rangerServiceDefModel.get('rowFilterDef').resources;
@@ -638,7 +646,7 @@ define(function(require){
 			var resources = {},resourceName = options.type;
 			var isParent = true, name = options.type, val = null,isCurrentSameLevelField = true;
 			while(isParent){
-				var currentResource = _.findWhere(this.rangerServiceDefModel.get('resources'), {'name': name });
+				var currentResource = _.findWhere(this.getResources(), {'name': name });
 				//same level type
 				if(_.isUndefined(this.fields[currentResource.name])){
 					var sameLevelName = 'sameLevel'+currentResource.level;
@@ -691,8 +699,9 @@ define(function(require){
 					condSet = m.has('conditions') ? true : false;
 				}
 				if(m.has('dataMaskInfo') && !_.isUndefined(m.get('dataMaskInfo').dataMaskType)){
-					if(m.get('dataMaskInfo').dataMaskType === "CUSTOM"){
-						customMaskSet = _.isUndefined(m.get('dataMaskInfo').valueExpr) || _.isEmpty(m.get('dataMaskInfo')).valueExpr ? false : true;
+					if( m.get('dataMaskInfo').dataMaskType.indexOf("CUSTOM") >= 0 ){
+						var valueExpr = m.get('dataMaskInfo').valueExpr;
+						customMaskSet = _.isUndefined(valueExpr) || _.isEmpty(valueExpr.trim()) ? false : true;
 					}
 				}
 			});
@@ -716,6 +725,20 @@ define(function(require){
 		getPolicyBaseFieldNames : function(){
 			 var fields = ['isAuditEnabled','description'];
 			 return fields;
+		},
+		getResources : function(){
+			if(XAUtil.isMaskingPolicy(this.model.get('policyType'))){
+				if(XAUtil.isRenderMasking(this.rangerServiceDefModel.get('dataMaskDef'))){
+					if(!_.isEmpty(this.rangerServiceDefModel.get('dataMaskDef').resources)){
+						return this.rangerServiceDefModel.get('dataMaskDef').resources;
+					}
+				}
+			}else if(XAUtil.isRowFilterPolicy(this.model.get('policyType'))){
+				if(XAUtil.isRenderRowFilter(this.rangerServiceDefModel.get('rowFilterDef'))){
+					return this.rangerServiceDefModel.get('rowFilterDef').resources;
+				}
+			}
+			return this.rangerServiceDefModel.get('resources');
 		}
 	});
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
index 1eaf3da..eb88686 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
@@ -50,8 +50,11 @@ define(function(require){
 
 		templateHelpers : function(){
 			return {
-				rangerService:this.rangerService,
-				rangerPolicyType : this.collection.queryParams['policyType']
+				rangerService : this.rangerService,
+				rangerServiceDef : this.rangerServiceDefModel,
+				rangerPolicyType : this.collection.queryParams['policyType'],
+				isRenderAccessTab : XAUtil.isRenderMasking(this.rangerServiceDefModel.get('dataMaskDef')) ? true 
+						  : XAUtil.isRenderRowFilter(this.rangerServiceDefModel.get('rowFilterDef')) ? true : false
 			};
 		},
         
@@ -60,7 +63,6 @@ define(function(require){
     			return [XALinks.get('TagBasedServiceManager'),XALinks.get('ManagePolicies',{model : this.rangerService})];
     		}
     		return [XALinks.get('ServiceManager'),XALinks.get('ManagePolicies',{model : this.rangerService})];
-//    		return [];
    		},        
 
 		/** Layout sub regions */
@@ -113,7 +115,7 @@ define(function(require){
 			this.rangerServiceDefModel.fetch({
 				cache : false,
 				async : false
-                        });
+            });
 		},
 		
 		initializePolicies : function(policyType){
@@ -131,7 +133,7 @@ define(function(require){
 			this.addVisualSearch();
 			this.renderTable();
 			this.initializePolicies();
-                        XAUtil.searchInfoPopover(this.searchInfoArray , this.ui.iconSearchInfo , 'bottom');
+            XAUtil.searchInfoPopover(this.searchInfoArray , this.ui.iconSearchInfo , 'bottom');
 
 		},
 		/** all post render plugin initialization */
@@ -149,8 +151,8 @@ define(function(require){
 			this.showRequiredTabs()
 		},
 		showRequiredTabs : function(){
-			if(XAUtil.isEmptyObjectResourceVal(this.rangerServiceDefModel.get('dataMaskDef'))){
-				this.$el.find('li[data-tab="masking"]').hide();
+			if(XAUtil.isRenderMasking(this.rangerServiceDefModel.get('dataMaskDef'))){
+				this.$el.find('li[data-tab="masking"]').show();
 			}
 			if(XAUtil.isEmptyObjectResourceVal(this.rangerServiceDefModel.get('rowFilterDef'))){
 				this.$el.find('li[data-tab="rowLevelFilter"]').hide();
@@ -322,7 +324,11 @@ define(function(require){
                         var that = this, resources = this.rangerServiceDefModel.get('resources');
                         var policyType = this.collection.queryParams['policyType'];
                         if(XAUtil.isMaskingPolicy(policyType) ){
-                                resources = this.rangerServiceDefModel.get('dataMaskDef')['resources'];
+                        	if(!_.isEmpty(this.rangerServiceDefModel.get('dataMaskDef').resources)){
+                        		resources = this.rangerServiceDefModel.get('dataMaskDef')['resources'];
+                        	}else{
+                        		resources = this.rangerServiceDefModel.get('resources');
+                        	}    
                         }else if(XAUtil.isRowFilterPolicy(policyType) ){
                                 resources = this.rangerServiceDefModel.get('rowFilterDef')['resources'];
                         }

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/styles/xa.css
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/styles/xa.css b/security-admin/src/main/webapp/styles/xa.css
index c70c0bc..fbfc9a0 100644
--- a/security-admin/src/main/webapp/styles/xa.css
+++ b/security-admin/src/main/webapp/styles/xa.css
@@ -2181,4 +2181,15 @@ td.subgrid-custom-cell{
 }
 .tag-attr-popover .table td:first-child{
         border-left-color:transparent;
+}
+.divider-popup{
+	padding: 4px;
+	background-color: #eeeeee;
+    text-align: center;
+    font-size: 12px;
+}
+.empty-text{
+    text-align: center;
+    font-weight: bold;
+    font-style: italic;
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/templates/helpers/XAHelpers.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/templates/helpers/XAHelpers.js b/security-admin/src/main/webapp/templates/helpers/XAHelpers.js
index 4491d70..1766880 100644
--- a/security-admin/src/main/webapp/templates/helpers/XAHelpers.js
+++ b/security-admin/src/main/webapp/templates/helpers/XAHelpers.js
@@ -540,7 +540,21 @@
 		var XAEnums		= require('utils/XAEnums');
 		return XAUtil.isRenderRowFilter(XAEnums.RangerPolicyType.RANGER_ROW_FILTER_POLICY_TYPE.value);
 	});
-	
+	Handlebars.registerHelper('showMaskingTab', function(context, options) {
+		var dataMaskDef = context.rangerServiceDef.get('dataMaskDef');
+		
+		return ( !_.isUndefined(dataMaskDef) 
+				&& ( !_.isUndefined(dataMaskDef.accessTypes) ) && dataMaskDef.accessTypes.length > 0 
+				&& ( !_.isUndefined(dataMaskDef.maskTypes) )   && dataMaskDef.maskTypes.length > 0 )
+				? options.fn(this) : options.inverse(this);
+	});
+	Handlebars.registerHelper('showRowLevelTab', function(context, options) {
+		var rowFilterDef = context.rangerServiceDef.get('rowFilterDef');
+		return ( !_.isUndefined(rowFilterDef) 
+				&& ( !_.isUndefined(rowFilterDef.accessTypes) ) && rowFilterDef.accessTypes.length > 0 
+				&& ( !_.isUndefined(rowFilterDef.resources) ) && rowFilterDef.resources.length > 0 )
+				? options.fn(this) : options.inverse(this); 
+	});
 
 	return HHelpers;
 });

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/templates/policies/PermissionItem.html
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/templates/policies/PermissionItem.html b/security-admin/src/main/webapp/templates/policies/PermissionItem.html
index 745c881..f6ff167 100644
--- a/security-admin/src/main/webapp/templates/policies/PermissionItem.html
+++ b/security-admin/src/main/webapp/templates/policies/PermissionItem.html
@@ -34,7 +34,7 @@
 </td>
 {{#if isMaskingPolicy}}
 <td>	
-	<a href="#" data-js="maskingType" data-type="radiolist" data-title="Select Masking Option" title="Select Masking Option" ></a>
+	<a href="#" data-js="maskingType" data-type="radiolist" data-title="Select Masking Option" title="Select Masking Option" >Add Mask Type</a>
 	<button type="button" class="btn btn-mini add-masking-type" title="Add" style="display: inline-block;"><i class="icon-plus"></i>
 	</button>
 	<input type="text" data-id="maskTypeCustom" value="{{dataMaskInfo.valueExpr}}" placeholder="enter masked value or expression" style="display:none;" width="40%"/>

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html b/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html
index 865ea72..859aced 100644
--- a/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html
+++ b/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html
@@ -47,55 +47,59 @@ language governing permissions and limitations under the License. --}}
 						</div>
 					</div>
 				</div>
-				<div class="form-indent-right" data-js="allowExcludePerm">
-					<p class="wrap-header reportSearchHeader ">Exclude from Allow
-						Conditions :</p>
+				{{#compare "Allow" "eq" conditionType}}
+					<div class="form-indent-right" data-js="allowExcludePerm">
+						<p class="wrap-header reportSearchHeader ">Exclude from Allow
+							Conditions :</p>
+						&nbsp;
+						<div class="wrap position-relative">
+	
+							<div class="" data-customfields="groupPermsAllowExclude">
+								<div class="control-group" style="margin-left: -100px;">
+									<label class="control-label">Exclude :</label>
+									<div class="controls">
+										<img src="images/loading.gif"
+											style="margin-left: 4%; margin-top: 1%;" />
+									</div>
+								</div>
+							</div>
+						</div>
+					</div>
+				{{/compare}}
+			</div>
+			{{#compare "Allow" "eq" conditionType}}
+				<div data-js="denyConditionItems">
+					<p class="wrap-header bold formHeader">Deny Conditions :</p>
 					&nbsp;
 					<div class="wrap position-relative">
-
-						<div class="" data-customfields="groupPermsAllowExclude">
-							<div class="control-group" style="margin-left: -100px;">
-								<label class="control-label">Exclude :</label>
+						<div class="" data-customfields="groupPermsDeny">
+							<div class="control-group">
+								<label class="control-label">{{tt 'lbl.permissions'}}</label>
 								<div class="controls">
 									<img src="images/loading.gif"
 										style="margin-left: 4%; margin-top: 1%;" />
 								</div>
 							</div>
 						</div>
-					</div>
-				</div>
-			</div>
-			<div data-js="denyConditionItems">
-				<p class="wrap-header bold formHeader">Deny Conditions :</p>
-				&nbsp;
-				<div class="wrap position-relative">
-					<div class="" data-customfields="groupPermsDeny">
-						<div class="control-group">
-							<label class="control-label">{{tt 'lbl.permissions'}}</label>
-							<div class="controls">
-								<img src="images/loading.gif"
-									style="margin-left: 4%; margin-top: 1%;" />
-							</div>
-						</div>
-					</div>
-					<div class="form-indent-right">
-						<p class="wrap-header reportSearchHeader">Exclude from Deny
-							Conditions :</p>
-						&nbsp;
-						<div class="wrap position-relative">
-							<div class="" data-customfields="groupPermsDenyExclude">
-								<div class="control-group">
-									<label class="control-label">Exclude :</label>
-									<div class="controls">
-										<img src="images/loading.gif"
-											style="margin-left: 4%; margin-top: 1%;" />
+						<div class="form-indent-right">
+							<p class="wrap-header reportSearchHeader">Exclude from Deny
+								Conditions :</p>
+							&nbsp;
+							<div class="wrap position-relative">
+								<div class="" data-customfields="groupPermsDenyExclude">
+									<div class="control-group">
+										<label class="control-label">Exclude :</label>
+										<div class="controls">
+											<img src="images/loading.gif"
+												style="margin-left: 4%; margin-top: 1%;" />
+										</div>
 									</div>
 								</div>
 							</div>
 						</div>
 					</div>
 				</div>
-			</div>
+			{{/compare}}
 	</fieldset>
 </form>
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/5e82ed83/security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html b/security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html
index 5031c7f..c49dc32 100644
--- a/security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html
+++ b/security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html
@@ -15,18 +15,24 @@
   limitations under the License.
 --}}
 
-{{#compare "hive" "eq" this.rangerService.attributes.type}}
+
 	<div data-id="policyTypeTab">
 		<ul class="nav nav-tabs tabs clearfix">
+		{{#showRowLevelTab .}}
 			<li data-tab="rowLevelFilter" class=""><a data-toggle="tab"
 				href="#rowLevelFilter">Row Level Filter</a></li>
+		{{/showRowLevelTab}}
+		
+		{{#showMaskingTab .}}
 			<li data-tab="masking" class=""><a data-toggle="tab"
 				href="#masking">Masking</a></li>
+		{{/showMaskingTab}}
+		{{#if isRenderAccessTab}}
 			<li data-tab="access" class="active"><a data-toggle="tab"
 				href="#access">Access</a></li>
+		{{/if}}		
 		</ul>
 </div>
-{{/compare}}
 <h3 class="wrap-header bold"> {{tt 'lbl.listOfPolicies'}} : {{rangerService.attributes.name}} </h3>
 <div class="wrap non-collapsible m-height ">
 	<div>