Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3225

Hive plugin may not block updates when unmask policy exists

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 0.6.3, 1.0.0, 0.7.1, 1.1.0, 1.2.0, 2.1.0
    • None
    • plugins
    • None

    Description

      Per RANGER-1087 and RANGER-1100, table modifications(insert/delete/update) should be blocked when row-filter/column-masking policy is enabled for the user. However, when there are no row-filtering policies on the table, and there are both mask and unmask policies on the columns, updates may not be blocked.

      The cause is we just check one column masking policy of the table, regardless whether it's an unmask (MASK_TYPE_NONE) policy:

      // check if masking is enabled for any column in the table/view
      request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
      RangerAccessResult dataMaskResult = getDataMaskResult(request);
      if (isDataMaskEnabled(dataMaskResult)) {
        // block the update
      }

      https://github.com/apache/ranger/blob/58b51a39ebe2e7dc4d253658e423f0afb6a74987/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L978-L982

      When the picked policy is an unmasked policy, isDataMaskEnabled() returns false on it.

      private boolean isDataMaskEnabled(RangerAccessResult result) {
      	return result != null && result.isMaskEnabled();
      }

      Codes for RangerAccessResult#isMaskEnabled():

      public boolean isMaskEnabled() {
      	return StringUtils.isNotEmpty(this.getMaskType()) && !StringUtils.equalsIgnoreCase(this.getMaskType(), RangerPolicy.MASK_TYPE_NONE);
      }
      

      It's undeterminded which column masking policy will be matched. When re-creating some policies, or disabling and then re-enabling some policies, the result changes. In theory, we should check all column masking policies of the table until we find a real mask policy.

      How to reproduce

      Create a table with 3 columns (id int, name string, addr string). Add a redact policy on "name". Add an unmask policy on "id". Check whether updates will be blocked:

      explain authorization insert into table my_tbl values (0, 'foo', 'bar'); 

      The result could be OK, or

      Permission denied: user [admin] does not have [UPDATE] privilege on [default/my_tbl]

      cc madhan, jcamachorodriguez

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              stigahuang Quanlong Huang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: