Description
We added the support for user/attribute based expressions in masking condition in RANGER-3865 . When only the mask condition has an user/group attribute based expression, RangerUserStoreEnricher is not enabled in plugin end.
Steps to reproduce (for Hive):
- Create a resource based access policy:
- Resources: database=testdb, table=employee, column=*
- Allow condition policy item: group=public, permissions=select
- Create a masking policy:
- Resources: database=testdb, table=employee, column=salary
- Allow condition policy item: group=public, permissions=select
- Masking Option= Custom expression as below
CASE WHEN id IN (${{USER.employee_id}}) THEN salary ELSE '0' END
- Add following attributes to the user jack:
- employee_id : 1,2
- We have following data in Hive:
id name salary 1 john 5600 2 jane 5300 3 jack 6700 4 harry 9500
- When select * from testdb.employee; query is executed (as the user jack), the expectation is salary of the employee john and jane should be displayed as it is, while for others it should be 0. In actual result, salary of all the employees is '0'.
- In plugin end, the RangerUserstore cache file userstore.json is not created.
Attachments
Issue Links
- is related to
-
RANGER-3609 option to add usergroup enricher automatically based on references in policies
-
- Resolved
-