Support Questions

Find answers, ask questions, and share your expertise

Masking data in Ranger policy from Atlas tags

avatar
Rising Star

I want to mask some data. I'm testing in the 2.6.3 sandbox

I have created a tag:

{"category": "CLASSIFICATION",
"guid": "bb29dc29-11ba-4d92-8d8f-fdca8ae92ea4",
"createdBy": "holger_gov",
"updatedBy": "holger_gov",
"createTime": 1518326442355,
"updateTime": 1518326442355,
"version": 1,
"name": "test_pii_tag",
"description": "test_pii_tag",
"typeVersion": "1.0",
"attributeDefs": [  {"name": "masking_type",
"typeName": "string",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false
},

  {"name": "last_4",
"typeName": "boolean",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false
}

],

"superTypes": [],
}

I have tagged 4 columns on foodmart.customer with test_pii_tag and set the following attributes:

lname (attribute string masking_type = "hash")

fname (attribute string masking_type = "nullify")

address1 (attribute boolean last_4 = true )

birthdate (attribute string masking_type = "year")

I created one Ranger tag policy and set the following deny setting for raj_ops:

Mask: Hive hash

if ( tagAttr.get('masking_type').equals("hash") ) {
	ctx.result = true;
   }

Mask: Hive nullify

if ( tagAttr.get('masking_type').equals("nullify") ) {
	ctx.result = true;
   }

Mask: Hive Date: show only year

if ( tagAttr.get('masking_type').equals("year") ) {
	ctx.result = true;
   }

Mask: Hive Partial mask show last 4

if ( tagAttr.get('last_4').equals("true") ) {
	ctx.result = true;
   }


-- I also tried the below with the same results

if ( tagAttr.get('last_4') ) {
	ctx.result = true;
   }

When I run SELECT * FROM customer LIMIT 100; I see the following:

lname is hashed - as expected

fname null - as expected

address1 is hashed - not as expected

birthdate yyyy-01-01 as expected


What is wrong with my javascript expressions to cause address1 to be hashed instead of 'Partial mask show last 4'?

1 ACCEPTED SOLUTION

avatar
Rising Star

I actually figured it out myself.

I needed to use the following JavaScript for the policy conditions:

tagAttr.masking_type=='hash'
tagAttr.masking_type=='nullify'
tagAttr.masking_type=='year'
tagAttr.last_4

View solution in original post

2 REPLIES 2

avatar
Rising Star

I actually figured it out myself.

I needed to use the following JavaScript for the policy conditions:

tagAttr.masking_type=='hash'
tagAttr.masking_type=='nullify'
tagAttr.masking_type=='year'
tagAttr.last_4

avatar
New Contributor

can we use the same on impala or hbase tables