You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "peng.jianhua (JIRA)" <ji...@apache.org> on 2017/09/28 09:54:00 UTC
[jira] [Comment Edited] (RANGER-1796) Updated masking policy for
hive to support for deny/allowException/denyExceptions
[ https://issues.apache.org/jira/browse/RANGER-1796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16183921#comment-16183921 ]
peng.jianhua edited comment on RANGER-1796 at 9/28/17 9:53 AM:
---------------------------------------------------------------
Hi [~madhan.neethiraj], I think that this change (to allow deny & exceptions for masking policies) is necessary. Because we have the following requirement in real business environment:
All groups are masked except for GROUPA and GROUPB group. At the same time I need also masked for USER1 user, which belong to the GROUPA group.
Now the ranger can not resolve above case.
The above case can be resolved using this feature according to following steps:
a. Select 'public' group in 'Allow Conditions'. The 'public' group is a special group, it represents all the groups in Ranger.
b. Select 'GROUPB' group in "Exclude from Allow Conditions"
c. Select 'GROUPA' group in 'Deny Conditions'.
d. Select 'USER1' user in 'Exclude from Deny Conditions'. The 'USER1' belongs to 'GROUPA' group.
Please refer to usecase-02.png.
More complex logic can also be supported by this feature. The feature will not affect the existing function, it is the enhancement and improvement for the existing function.
was (Author: peng.jianhua):
Hi [~madhan.neethiraj], I think that this change (to allow deny & exceptions for masking policies) is necessary. Because we have the following requirement in real business environment:
I masked for all groups except GROUPA and GROUPB group. At the same time I need also masked for USER1 user, which belong to the GROUPA group.
Now the ranger can not resolve above case.
The above case can be resolved using this feature according to following steps:
a. Select 'public' group in 'Allow Conditions'. The 'public' group is a special group, it represents all the groups in Ranger.
b. Select 'GROUPB' group in "Exclude from Allow Conditions"
c. Select 'GROUPA' group in 'Deny Conditions'.
d. Select 'USER1' user in 'Exclude from Deny Conditions'. The 'USER1' belongs to 'GROUPA' group.
Please refer to usecase-02.png.
More complex logic can also be supported by this feature. The feature will not affect the existing function, it is the enhancement and improvement for the existing function.
> Updated masking policy for hive to support for deny/allowException/denyExceptions
> ----------------------------------------------------------------------------------
>
> Key: RANGER-1796
> URL: https://issues.apache.org/jira/browse/RANGER-1796
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
> Affects Versions: 1.0.0, master
> Reporter: peng.jianhua
> Assignee: peng.jianhua
> Labels: newbie, patch
> Attachments: 0001-RANGER-1796-Updated-masking-policy-for-hive-to-suppo.patch, masking-03.png, masking2.png, usecase-01.png, usecase-02.png
>
>
> Masking policy for hive should support for deny/allowException/denyExceptions to meet further business needs. Such as masking policy for hive should support as following scene and so on:
> USER1, USER2 and USER3 belong to the user group GROUPA. Select GROUPA group when created masking policy. The USER1 does not use masking and USER2, USER3 need masking.
> We rigorously tested this issue. The test result shows that the feature is ok.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)