Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.6.3, 1.0.0, 0.7.1, 1.1.0, 1.2.0, 2.1.0
-
None
-
None
Description
Per RANGER-1087 and RANGER-1100, table modifications(insert/delete/update) should be blocked when row-filter/column-masking policy is enabled for the user. However, when there are no row-filtering policies on the table, and there are both mask and unmask policies on the columns, updates may not be blocked.
The cause is we just check one column masking policy of the table, regardless whether it's an unmask (MASK_TYPE_NONE) policy:
// check if masking is enabled for any column in the table/view request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS); RangerAccessResult dataMaskResult = getDataMaskResult(request); if (isDataMaskEnabled(dataMaskResult)) { // block the update }
When the picked policy is an unmasked policy, isDataMaskEnabled() returns false on it.
private boolean isDataMaskEnabled(RangerAccessResult result) { return result != null && result.isMaskEnabled(); }
Codes for RangerAccessResult#isMaskEnabled():
public boolean isMaskEnabled() { return StringUtils.isNotEmpty(this.getMaskType()) && !StringUtils.equalsIgnoreCase(this.getMaskType(), RangerPolicy.MASK_TYPE_NONE); }
It's undeterminded which column masking policy will be matched. When re-creating some policies, or disabling and then re-enabling some policies, the result changes. In theory, we should check all column masking policies of the table until we find a real mask policy.
How to reproduce
Create a table with 3 columns (id int, name string, addr string). Add a redact policy on "name". Add an unmask policy on "id". Check whether updates will be blocked:
explain authorization insert into table my_tbl values (0, 'foo', 'bar');
The result could be OK, or
Permission denied: user [admin] does not have [UPDATE] privilege on [default/my_tbl]
Attachments
Issue Links
- relates to
-
-
- Resolved
-
-
-
- Resolved
-