Resource based masking policy with override priority

Apache Ranger policy model provides policy priority to override decisions made by normal priority policies. This can be used to provide (temporary) access to resources when another policy might deny access  - for example:

• access to finance database is to be allowed only for users in finance-users group; everyone else is should be denied access
• access to a subset of tables/columns in finance database should be allowed for users in auditors group

Above requirement can be met by creating following 2 policies:

• policy #1: resource: { database=finance }, groups:  [ finance ], permissions:  [ all ], isDenyAllElse: true
• policy #2: resource: { database=finance, table=audit* }, groups: [ auditors ], permissions: [ select ], priority: override

Such policy override works well for access requests, even across tag-based and resource-based policies. However, for data-masking policies, the decision made by a tag-based masking policy are not overridden by resource-based policies with override priority. For example:

• tag-masking-policy #1: tag=SENSITIVE, group=analyst, maskType=redact, priority=normal
• resource-masking-policy #2: resource: { database=customer, table=order, column=amount }, groups: [ analyst ], maskType=none, priority=override

Above policies should allow users in analyst group to see unmasked value of customer.order.amount column, even when the column is tagged as SENSITIVE. Currently users in analyst group will only see values with redact masking applied.