ranger-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Alton <sultanapea...@hotmail.com>
Subject Re: Can the resource 'column' only exist in the masking policies?
Date Thu, 28 Jun 2018 21:09:48 GMT
Thanks Bosco, Ramesh.


I wanted to try disabling the code reporting an error, as Ramesh suggested, but didn't get
to it today and am minutes away from starting a week of vacation :-)


I made the change, compiled, and am trying to figure out what to do with the security-admin-web-1.1.0-SNAPSHOT.war
that was generated. Let me know if you have any tips on how to apply that to my HDP 2.6.5
install. This is all I found under /usr/hdp on the Ranger admin host:


# find ./ -name security-admin*
./2.6.5.0-292/ranger-admin/ews/webapp/META-INF/maven/org.apache.ranger/security-admin-web

# ls ./2.6.5.0-292/ranger-admin/ews/webapp/META-INF/maven/org.apache.ranger/security-admin-web
pom.properties  pom.xml


________________________________
From: Don Bosco Durai <bosco@apache.org>
Sent: June 27, 2018 7:53 PM
To: user@ranger.apache.org
Subject: Re: Can the resource 'column' only exist in the masking policies?


> Actually one workaround, if it were possible, would be to have column in the access policy
but have it be read-only and initialized to the wild card character, *.



I like your suggestion. For now, since you will be implementing the plugin, you can ignore
whatever is entered in the column’s field. After you get everything working, we should be
able to update Ranger to make this field  optional or non-visible.



Bosco





From: Eric Alton <sultanapeanut@hotmail.com>
Reply-To: <user@ranger.apache.org>
Date: Wednesday, June 27, 2018 at 2:08 PM
To: "user@ranger.apache.org" <user@ranger.apache.org>
Subject: Re: Can the resource 'column' only exist in the masking policies?



Thanks Ramesh. I'll try that out tomorrow.



Without column as a resource in the access policies, all policies are defined at the table
level and so applicable to all columns.  I could grant a user select access on a table (which
implies select on every column) and then have masks defined for individual columns.



Actually one workaround, if it were possible, would be to have column in the access policy
but have it be read-only and initialized to the wild card character, *.



There's nothing special about my servicedef. In the top level resources I have schema and
table. Under dataMaskDef->resources I have schema, table, and column. This is what they
look like.

    "resources":[
        {
            "label":"Big SQL Schema",
            "rbKeyLabel":null,
            "rbKeyDescription":null,
            "itemId":1,
            "mandatory":true,
            "validationRegEx":"",
            "validationMessage":"",
            "uiHint":"",
            "rbKeyValidationMessage":null,
            "lookupSupported":true,
            "recursiveSupported":false,
            "excludesSupported":true,
            "matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions":
            {"wildCard":"true", "ignoreCase":"true"},
            "level":10,
            "description":"Big SQL Schema",
            "name":"schema",
            "parent":null,
            "type":"string"
        },

        {
            "label":"Big SQL Table",
            "rbKeyLabel":null,
            "rbKeyDescription":null,
            "itemId":2,
            "mandatory":true,
            "validationRegEx":"",
            "validationMessage":"",
            "uiHint":"",
            "rbKeyValidationMessage":null,
            "lookupSupported":true,
            "recursiveSupported":false,
            "excludesSupported":true,
            "matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions":
            {"wildCard":"true", "ignoreCase":"true"},
            "level":20,
            "description":"Big SQL Table",
            "name":"table",
            "parent":"schema",
            "type":"string"
        }

(and under dataMaskDef this one is added below Big SQL Table):

        {
            "label":"Big SQL Column",
            "rbKeyLabel":null,
            "rbKeyDescription":null,
            "itemId":3,
            "mandatory":true,
            "validationRegEx":"",
            "validationMessage":"",
            "uiHint":"",
            "rbKeyValidationMessage":null,
            "lookupSupported":false,
            "recursiveSupported":false,
            "excludesSupported":true,
            "matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions":{"wildCard":"true", "ignoreCase":"true"},
            "level":30,
            "description":"Big SQL Column",
            "name":"column",
            "parent":"table",
            "type":"string"
        }






________________________________

From: Ramesh Mani <rmani@hortonworks.com>
Sent: June 27, 2018 4:03 PM
To: user@ranger.apache.org
Subject: Re: Can the resource 'column' only exist in the masking policies?



Eric



Also in your ranger code base please bypassing these check and try?



https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java#L569

[https://avatars3.githubusercontent.com/u/47359?s=400&v=4]<https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java#L569>

apache/ranger<https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java#L569>
github.com
ranger - Mirror of Apache Ranger


[https://avatars3.githubusercontent.com/u/47359?s=400&v=4]<https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java#L569>


apache/ranger<https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java#L569>

github.com

ranger - Mirror of Apache Ranger




https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java#L576



Regards,

Ramesh



From: Ramesh Mani <rmani@hortonworks.com<mailto:rmani@hortonworks.com>>
Date: Wednesday, June 27, 2018 at 12:34 PM
To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" <user@ranger.apache.org<mailto:user@ranger.apache.org>>
Subject: Re: Can the resource 'column' only exist in the masking policies?



Hello Eric,



Like Bosco mentioned, your scenario of having column resource enabled only for the data masking
definition is not tested and also in hive plugin we expect the user to have atleast “select”
access to the column in order for the column masking to be evaluated for that user.



So that means column level resource authorization checks has to  bypassed and go to data masking
policy evaluation.  I strongly feel that we are looking for some code change on hive authorizer
in that case.



Could you please share your service-def which you are evaluating if possible?



Thanks,

Ramesh



From: Don Bosco Durai <bosco@apache.org<mailto:bosco@apache.org>>

Reply-To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" <user@ranger.apache.org<mailto:user@ranger.apache.org>>
Date: Tuesday, June 26, 2018 at 7:22 PM
To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" <user@ranger.apache.org<mailto:user@ranger.apache.org>>
Subject: Re: Can the resource 'column' only exist in the masking policies?



I looked in to the Hive Service Defination and it seems we have different set of resource
type definitions for Access Policy and Masking. So ideally, whatever you are doing is supported
by the Service Definition. It might be that your scenario might not have been tested.



Best way would be for you to just trace the code and see where you are getting the error.



Madhan or Ramesh who are more familiar with the code might have more insights.



Bosco





From: Eric Alton <sultanapeanut@hotmail.com<mailto:sultanapeanut@hotmail.com>>
Reply-To: <user@ranger.apache.org<mailto:user@ranger.apache.org>>
Date: Tuesday, June 26, 2018 at 7:18 PM
To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" <user@ranger.apache.org<mailto:user@ranger.apache.org>>
Subject: Re: Can the resource 'column' only exist in the masking policies?



I'm looking to add column masking to a custom plugin (Big SQL), and we do not have column
level access policies.



________________________________

From: Don Bosco Durai <bosco@apache.org<mailto:bosco@apache.org>>
Sent: June 26, 2018 5:27 PM
To: user@ranger.apache.org<mailto:user@ranger.apache.org>
Subject: Re: Can the resource 'column' only exist in the masking policies?



Are you using out of the box Hive Ranger Plugin? Or is it a custom Ranger plugin?



Bosco





From: Eric Alton <sultanapeanut@hotmail.com<mailto:sultanapeanut@hotmail.com>>
Reply-To: <user@ranger.apache.org<mailto:user@ranger.apache.org>>
Date: Tuesday, June 26, 2018 at 2:14 PM
To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" <user@ranger.apache.org<mailto:user@ranger.apache.org>>
Subject: Can the resource 'column' only exist in the masking policies?



Our Ranger plugin does not support column level access policies, but we want to support column
masking. I've been playing around with the servicedef file, and can not get column to only
appear in the masking policies. Is there a way to do this?



(top level) resources: schema is a parent of table

dataMaskDef->resources: schema is a parent of table. table is a parent of column.



The error I get when only listing column under dataMaskDef->resources is:

{"statusCode":1,"msgDesc":"resource with name: column does not exists","messageList":[{"name":"DATA_NOT_FOUND","rbKey":"xa.error.data_not_found","message":"Data
not found"}]}





Mime
View raw message