You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Madhan Neethiraj (Jira)" <ji...@apache.org> on 2023/05/21 20:11:00 UTC
[jira] [Resolved] (RANGER-4023) UserStoreEnricher is not enabled if only mask conditon has attribute based expression
[ https://issues.apache.org/jira/browse/RANGER-4023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Madhan Neethiraj resolved RANGER-4023.
--------------------------------------
Fix Version/s: 2.4.1
Resolution: Fixed
[~suchnit] - thank you for the fix. It is merged in following branches:
{noformat}
commit b1a493290f137e52398b86006bf551e5e073906d (HEAD -> master, origin/master, origin/HEAD)
Author: Subhrat Chaudhary <su...@yahoo.com>
Date: Sun May 21 11:22:33 2023 -0700
RANGER-4023: fixed implicit addition of userStoreEnricher for references to user/group attributes in dataMask expressions
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
{noformat}.
{noformat}
commit af02991483f9f1d3f17c141281755409eb338f63 (HEAD -> ranger-2.4, origin/ranger-2.4)
Author: Subhrat Chaudhary <su...@yahoo.com>
Date: Sun May 21 11:22:33 2023 -0700
RANGER-4023: fixed implicit addition of userStoreEnricher for references to user/group attributes in dataMask expressions
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
(cherry picked from commit b1a493290f137e52398b86006bf551e5e073906d)
{noformat}
> UserStoreEnricher is not enabled if only mask conditon has attribute based expression
> -------------------------------------------------------------------------------------
>
> Key: RANGER-4023
> URL: https://issues.apache.org/jira/browse/RANGER-4023
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Subhrat Chaudhary
> Assignee: Subhrat Chaudhary
> Priority: Major
> Fix For: 3.0.0, 2.4.1
>
>
> We added the support for user/attribute based expressions in masking condition in RANGER-3865 . When only the mask condition has an user/group attribute based expression, RangerUserStoreEnricher is not enabled in plugin end.
> Steps to reproduce (for Hive):
> * Create a resource based access policy:
> ** Resources: database=testdb, table=employee, column=*
> ** Allow condition policy item: group=public, permissions=select
> * Create a masking policy:
> ** Resources: database=testdb, table=employee, column=salary
> ** Allow condition policy item: group=public, permissions=select
> ** *Masking Option= Custom (CASE WHEN id IN (${{{}USER.employee_id{}}}) THEN salary ELSE '0' END)*
> * Add following attributes to the user jack:
> ** *employee_id : 1,2*
> * We have following data in Hive:
> **
> ||id||name||salary||
> |1|john|5600|
> |2|jane|5300|
> |3|jack|6700|
> |4|harry|9500|
> * When *select * from testdb.employee;* query is executed, the expectation is {*}salary of the employee john and jane should be displayed as it is, while for others it should be 0{*}. In actual result, salary of all the employees is '0'.
> * In plugin end, the RangerUserstore cache file userstore.json is not created.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)