You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Madhan Neethiraj (Jira)" <ji...@apache.org> on 2023/05/21 20:11:00 UTC

[jira] [Resolved] (RANGER-4023) UserStoreEnricher is not enabled if only mask conditon has attribute based expression

     [ https://issues.apache.org/jira/browse/RANGER-4023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Madhan Neethiraj resolved RANGER-4023.
--------------------------------------
    Fix Version/s: 2.4.1
       Resolution: Fixed

[~suchnit] - thank you for the fix. It is merged in following branches:

{noformat}
commit b1a493290f137e52398b86006bf551e5e073906d (HEAD -> master, origin/master, origin/HEAD)
Author: Subhrat Chaudhary <su...@yahoo.com>
Date:   Sun May 21 11:22:33 2023 -0700

    RANGER-4023: fixed implicit addition of userStoreEnricher for references to user/group attributes in dataMask expressions

    Signed-off-by: Madhan Neethiraj <ma...@apache.org>
{noformat}. 


{noformat}
commit af02991483f9f1d3f17c141281755409eb338f63 (HEAD -> ranger-2.4, origin/ranger-2.4)
Author: Subhrat Chaudhary <su...@yahoo.com>
Date:   Sun May 21 11:22:33 2023 -0700

    RANGER-4023: fixed implicit addition of userStoreEnricher for references to user/group attributes in dataMask expressions

    Signed-off-by: Madhan Neethiraj <ma...@apache.org>
    (cherry picked from commit b1a493290f137e52398b86006bf551e5e073906d)
{noformat}

> UserStoreEnricher is not enabled if only mask conditon has attribute based expression
> -------------------------------------------------------------------------------------
>
>                 Key: RANGER-4023
>                 URL: https://issues.apache.org/jira/browse/RANGER-4023
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>            Reporter: Subhrat Chaudhary
>            Assignee: Subhrat Chaudhary
>            Priority: Major
>             Fix For: 3.0.0, 2.4.1
>
>
> We added the support for user/attribute based expressions in masking condition in RANGER-3865 . When only the mask condition has an user/group attribute based expression, RangerUserStoreEnricher is not enabled in plugin end.
> Steps to reproduce (for Hive):
>  * Create a resource based access policy:
>  ** Resources: database=testdb, table=employee, column=*
>  ** Allow condition policy item: group=public, permissions=select
>  * Create a masking policy:
>  ** Resources: database=testdb, table=employee, column=salary
>  ** Allow condition policy item: group=public, permissions=select
>  ** *Masking Option= Custom (CASE WHEN id IN (${{{}USER.employee_id{}}}) THEN salary ELSE '0' END)*
>  * Add following attributes to the user jack:
>  ** *employee_id : 1,2*
>  * We have following data in Hive:
>  ** 
> ||id||name||salary||
> |1|john|5600|
> |2|jane|5300|
> |3|jack|6700|
> |4|harry|9500|
>  * When *select * from testdb.employee;* query is executed, the expectation is {*}salary of the employee john and jane should be displayed as it is, while for others it should be 0{*}. In actual result, salary of all the employees is '0'.
>  * In plugin end, the RangerUserstore cache file userstore.json is not created.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)