You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2022/05/17 16:01:06 UTC
[ranger] branch ranger-2.3 updated: RANGER-3765: tag-based policy masking to override resource-based masking
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push:
new 3bb5c0838 RANGER-3765: tag-based policy masking to override resource-based masking
3bb5c0838 is described below
commit 3bb5c083856f09de16dabd3e2ee5de29e746f420
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Mon May 16 12:13:45 2022 -0700
RANGER-3765: tag-based policy masking to override resource-based masking
(cherry picked from commit fbe203b55e29716fde3b037aeb336ebbae6c5cd2)
---
.../policyengine/RangerPolicyEngineImpl.java | 12 +-
.../test_policyengine_tag_hive_mask.json | 233 ++++++---------------
2 files changed, 70 insertions(+), 175 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 41ad8936d..5b3c9c3e5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -768,8 +768,16 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
ret.setIsAccessDetermined(true);
}
} else if (ret.getIsAllowed()) {
- if (ret.getPolicyPriority() > evaluator.getPolicyPriority()) {
- ret.setIsAccessDetermined(true);
+ if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
+ // for access, allow decision made earlier by a policy with higher priority will be final
+ if (ret.getPolicyPriority() > evaluator.getPolicyPriority()) {
+ ret.setIsAccessDetermined(true);
+ }
+ } else {
+ // for other types (mask/row-filter), decision made earlier by a policy with same priority or higher will be final
+ if (ret.getPolicyPriority() >= evaluator.getPolicyPriority()) {
+ ret.setIsAccessDetermined(true);
+ }
}
}
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
index f2518b0b2..1d0bcb737 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
@@ -150,96 +150,35 @@
}
},
"policies": [
- {
- "id": 101,
- "name": "db=*: audit-all-access",
- "isEnabled": true,
- "isAuditEnabled": true,
- "resources": {
- "database": {
- "values": [
- "*"
- ]
- },
- "table": {
- "values": [
- "*"
- ]
- },
- "column": {
- "values": [
- "*"
- ]
- }
- },
+ { "id": 101, "name": "db=*: audit-all-access", "isEnabled": true, "isAuditEnabled": true,
+ "resources": { "database": { "values": [ "*" ] }, "table": { "values": [ "*" ] }, "column": { "values": [ "*" ] } },
"policyItems": [
- {
- "accesses": [
- {
- "type": "all",
- "isAllowed": true
- }
- ],
- "users": [
- "hive",
- "user1",
- "user2"
- ],
- "groups": [
- "public"
- ],
- "delegateAdmin": false
- }
+ { "accesses": [ { "type": "all", "isAllowed": true } ], "users": [ "hive", "user1", "user2" ], "groups": [ "public" ], "delegateAdmin": false }
]
},
- {
- "id": 102,
- "name": "db=*, udf=*: audit-all-access",
- "isEnabled": true,
- "isAuditEnabled": true,
- "resources": {
- "database": {
- "values": [
- "*"
- ]
- },
- "udf": {
- "values": [
- "*"
- ]
- }
- },
+ { "id": 102, "name": "db=*, udf=*: audit-all-access", "isEnabled": true, "isAuditEnabled": true,
+ "resources": { "database": { "values": [ "*" ] }, "udf": { "values": [ "*" ] } },
"policyItems": [
- {
- "accesses": [
- {
- "type": "all",
- "isAllowed": true
- }
- ],
- "users": [
- "hive",
- "user1",
- "user2"
- ],
- "groups": [
- "public"
- ],
- "delegateAdmin": false
- }
+ { "accesses": [ { "type": "all", "isAllowed": true } ], "users": [ "hive", "user1", "user2" ], "groups": [ "public" ], "delegateAdmin": false }
]
},
- { "id": 103, "name": "masking: employee.personal.ssl - normal priority", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, "policyPriority": 0,
+ { "id": 103, "name": "masking: employee.personal.ssn - normal priority", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, "policyPriority": 0,
"resources": { "database": { "values": [ "employee" ] }, "table": { "values": [ "personal" ] }, "column": { "values": [ "ssn" ] } },
"dataMaskPolicyItems": [
{ "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1" ], "dataMaskInfo": { "dataMaskType": "NONE" } }
]
},
- { "id": 104, "name": "masking: employee.personal.ssl - override priority", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, "policyPriority": 1,
+ { "id": 104, "name": "masking: employee.personal.ssn - override priority", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, "policyPriority": 1,
"resources": { "database": { "values": [ "employee" ] }, "table": { "values": [ "personal" ] }, "column": { "values": [ "ssn" ] } },
"dataMaskPolicyItems": [
{ "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user3" ], "dataMaskInfo": { "dataMaskType": "NONE" } }
]
+ },
+ { "id": 105, "name": "masking: employee.personal.name - normal priority", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, "policyPriority": 0,
+ "resources": { "database": { "values": [ "employee" ] }, "table": { "values": [ "personal" ] }, "column": { "values": [ "name" ] } },
+ "dataMaskPolicyItems": [
+ { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1", "user2", "user4" ], "dataMaskInfo": { "dataMaskType": "NONE" } }
+ ]
}
],
"tagPolicyInfo": {
@@ -391,129 +330,77 @@
]
},
"tagPolicies": [
- {
- "id": 1,
- "name": "RESTRICTED_TAG_POLICY",
- "isEnabled": true,
- "isAuditEnabled": true,
- "policyType": 1,
- "resources": {
- "tag": {
- "values": [
- "RESTRICTED"
- ],
- "isRecursive": false
- }
- },
+ { "id": 1, "name": "RESTRICTED", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, "policyPriority": 0,
+ "resources": { "tag": { "values": [ "RESTRICTED" ], "isRecursive": false } },
"dataMaskPolicyItems": [
- {
- "accesses": [
- {
- "type": "select",
- "isAllowed": true
- }
- ],
- "users": [
- "user1"
- ],
- "groups": [],
- "delegateAdmin": false,
- "dataMaskInfo": {
- "dataMaskType": "MASK"
- }
- },
- {
- "accesses": [
- {
- "type": "select",
- "isAllowed": true
- }
- ],
- "users": [
- "user2",
- "user3"
- ],
- "groups": [],
- "delegateAdmin": false,
- "dataMaskInfo": {
- "dataMaskType": "SHUFFLE"
- }
- }
+ { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1" ], "dataMaskInfo": { "dataMaskType": "MASK" } },
+ { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user2", "user3" ], "dataMaskInfo": { "dataMaskType": "SHUFFLE" } }
]
}
]
},
"tests": [
- {
- "name": "'select ssn from employee.personal;' for user1 - maskType=MASK",
+ { "name": "'select ssn from employee.personal;' for user1 - maskType=MASK",
"request": {
- "resource": {
- "elements": {
- "database": "employee",
- "table": "personal",
- "column": "ssn"
- }
- },
- "accessType": "select",
- "user": "user1",
- "userGroups": [],
- "requestData": "select ssn from employee.personal;' for user1",
- "context": {
- "TAGS": "[{\"type\":\"RESTRICTED\"}]"
- }
+ "resource": { "elements": { "database": "employee", "table": "personal", "column": "ssn" } },
+ "accessType": "select", "user": "user1", "userGroups": [], "requestData": "select ssn from employee.personal;' for user1",
+ "context": { "TAGS": "[{\"type\":\"RESTRICTED\"}]" }
},
- "dataMaskResult":{"additionalInfo":{"maskType":"MASK","maskCondition":null,"maskValue":null},"policyId":1}
+ "dataMaskResult": { "additionalInfo": { "maskType": "MASK", "maskCondition": null, "maskValue" :null }, "policyId": 1 }
},
{
"name": "'select ssn from employee.personal;' for user2 - maskType=SHUFFLE",
"request": {
- "resource": {
- "elements": {
- "database": "employee",
- "table": "personal",
- "column": "ssn"
- }
- },
- "accessType": "select",
- "user": "user2",
- "userGroups": [],
- "requestData": "select ssn from employee.personal;' for user2",
- "context": {
- "TAGS": "[{\"type\":\"RESTRICTED\"}]"
- }
+ "resource": { "elements": { "database": "employee", "table": "personal", "column": "ssn" } },
+ "accessType": "select", "user": "user2", "userGroups": [], "requestData": "select ssn from employee.personal;' for user2",
+ "context": { "TAGS": "[{\"type\":\"RESTRICTED\"}]" }
},
- "dataMaskResult":{"additionalInfo":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null},"policyId":1}
+ "dataMaskResult": { "additionalInfo": { "maskType": "SHUFFLE", "maskCondition": null, "maskValue": null }, "policyId": 1 }
},
{
"name": "'select ssn from employee.personal;' for user3 - maskType=NONE (resource-policy override)",
"request": {
"resource": { "elements": { "database": "employee", "table": "personal", "column": "ssn" } },
"accessType": "select", "user": "user3", "requestData": "select ssn from employee.personal;' for user2",
- "context": {
- "TAGS": "[{\"type\":\"RESTRICTED\"}]"
- }
+ "context": { "TAGS": "[{\"type\":\"RESTRICTED\"}]" }
},
- "dataMaskResult":{"additionalInfo":{"maskType":"NONE","maskCondition":null,"maskValue":null},"policyId":104}
+ "dataMaskResult": { "additionalInfo": { "maskType": "NONE", "maskCondition": null, "maskValue": null }, "policyId": 104 }
},
{
"name": "'select ssn from employee.personal;' for hive - maskType=NONE",
"request": {
- "resource": {
- "elements": {
- "database": "employee",
- "table": "personal",
- "column": "ssn"
- }
- },
- "accessType": "select",
- "user": "hive",
- "userGroups": [],
- "requestData": "select ssn from employee.personal;' for hive",
- "context": {
- "TAGS": "[{\"type\":\"RESTRICTED\"}]"
- }
+ "resource": { "elements": { "database": "employee", "table": "personal", "column": "ssn" } },
+ "accessType": "select", "user": "hive", "userGroups": [], "requestData": "select ssn from employee.personal;' for hive",
+ "context": { "TAGS": "[{\"type\":\"RESTRICTED\"}]" }
+ },
+ "dataMaskResult": { "additionalInfo": { "maskType": null, "maskCondition": null, "maskValue": null }, "policyId": -1 }
+ },
+ {
+ "name": "'select name from employee.personal;' for user1 - maskType=MASK",
+ "request": {
+ "resource": { "elements": { "database": "employee", "table": "personal", "column": "name" } },
+ "accessType": "select", "user": "user1", "userGroups": [], "requestData": "select name from employee.personal;' for user1",
+ "context": { "TAGS": "[{\"type\":\"RESTRICTED\"}]" }
+ },
+ "dataMaskResult": { "additionalInfo": { "maskType": "MASK", "maskCondition": null, "maskValue": null }, "policyId": 1 }
+ },
+ {
+ "name": "'select name from employee.personal;' for user2 - maskType=SHUFFLE",
+ "request": {
+ "resource": { "elements": { "database": "employee", "table": "personal", "column": "name" } },
+ "accessType": "select", "user": "user2", "userGroups": [], "requestData": "select name from employee.personal;' for user2",
+ "context": { "TAGS": "[{\"type\":\"RESTRICTED\"}]" }
+ },
+ "dataMaskResult": { "additionalInfo": { "maskType": "SHUFFLE", "maskCondition": null, "maskValue": null }, "policyId": 1 }
+ },
+ {
+ "name": "'select name from employee.personal;' for user4 - maskType=NONE",
+ "request": {
+ "resource": { "elements": { "database": "employee", "table": "personal", "column": "name" } },
+ "accessType": "select", "user": "user4", "userGroups": [], "requestData": "select name from employee.personal;' for user2",
+ "context": { "TAGS": "[{\"type\":\"RESTRICTED\"}]" }
},
- "dataMaskResult":{"additionalInfo":{"maskType":null,"maskCondition":null,"maskValue":null},"policyId":-1}
+ "dataMaskResult": { "additionalInfo": { "maskType": "NONE", "maskCondition": null, "maskValue": null }, "policyId": 105 }
}
]
}