You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2022/03/30 16:12:31 UTC
[ranger] branch ranger-2.3 updated: RANGER-3688: resource-based masking policy doesn't override tag-based policy
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push:
new 79f4efc RANGER-3688: resource-based masking policy doesn't override tag-based policy
79f4efc is described below
commit 79f4efc4396abb09befff5639281a6f757723a18
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Tue Mar 29 14:06:21 2022 -0700
RANGER-3688: resource-based masking policy doesn't override tag-based policy
(cherry picked from commit bd4461e245c0f6f1b154c57e1ba6ef1472e5e6e3)
---
.../RangerDefaultDataMaskPolicyItemEvaluator.java | 8 ++++++-
.../test_policyengine_tag_hive_mask.json | 26 +++++++++++++++++++++-
2 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
index 5582124..f7e5f81 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
@@ -45,10 +45,16 @@ public class RangerDefaultDataMaskPolicyItemEvaluator extends RangerDefaultPolic
public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
RangerPolicyItemDataMaskInfo dataMaskInfo = getDataMaskInfo();
- if (result.getMaskType() == null && dataMaskInfo != null) {
+ if (dataMaskInfo != null) {
result.setMaskType(dataMaskInfo.getDataMaskType());
result.setMaskCondition(dataMaskInfo.getConditionExpr());
result.setMaskedValue(dataMaskInfo.getValueExpr());
+ result.setIsAccessDetermined(true);
+ result.setPolicyPriority(policyEvaluator.getPolicyPriority());
+ result.setPolicyId(policyEvaluator.getId());
+ result.setReason(getComments());
+ result.setPolicyVersion(policyEvaluator.getPolicy().getVersion());
+
policyEvaluator.updateAccessResult(result, matchType, true, getComments());
}
}
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
index a97bd2b..f2518b0 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
@@ -228,6 +228,18 @@
"delegateAdmin": false
}
]
+ },
+ { "id": 103, "name": "masking: employee.personal.ssl - normal priority", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, "policyPriority": 0,
+ "resources": { "database": { "values": [ "employee" ] }, "table": { "values": [ "personal" ] }, "column": { "values": [ "ssn" ] } },
+ "dataMaskPolicyItems": [
+ { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1" ], "dataMaskInfo": { "dataMaskType": "NONE" } }
+ ]
+ },
+ { "id": 104, "name": "masking: employee.personal.ssl - override priority", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, "policyPriority": 1,
+ "resources": { "database": { "values": [ "employee" ] }, "table": { "values": [ "personal" ] }, "column": { "values": [ "ssn" ] } },
+ "dataMaskPolicyItems": [
+ { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user3" ], "dataMaskInfo": { "dataMaskType": "NONE" } }
+ ]
}
],
"tagPolicyInfo": {
@@ -418,7 +430,8 @@
}
],
"users": [
- "user2"
+ "user2",
+ "user3"
],
"groups": [],
"delegateAdmin": false,
@@ -472,6 +485,17 @@
"dataMaskResult":{"additionalInfo":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null},"policyId":1}
},
{
+ "name": "'select ssn from employee.personal;' for user3 - maskType=NONE (resource-policy override)",
+ "request": {
+ "resource": { "elements": { "database": "employee", "table": "personal", "column": "ssn" } },
+ "accessType": "select", "user": "user3", "requestData": "select ssn from employee.personal;' for user2",
+ "context": {
+ "TAGS": "[{\"type\":\"RESTRICTED\"}]"
+ }
+ },
+ "dataMaskResult":{"additionalInfo":{"maskType":"NONE","maskCondition":null,"maskValue":null},"policyId":104}
+ },
+ {
"name": "'select ssn from employee.personal;' for hive - maskType=NONE",
"request": {
"resource": {