Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Masking data in Ranger policy from Atlas tags

Solved Go to solution

Masking data in Ranger policy from Atlas tags

Contributor

I want to mask some data. I'm testing in the 2.6.3 sandbox

I have created a tag:

{"category": "CLASSIFICATION",
"guid": "bb29dc29-11ba-4d92-8d8f-fdca8ae92ea4",
"createdBy": "holger_gov",
"updatedBy": "holger_gov",
"createTime": 1518326442355,
"updateTime": 1518326442355,
"version": 1,
"name": "test_pii_tag",
"description": "test_pii_tag",
"typeVersion": "1.0",
"attributeDefs": [  {"name": "masking_type",
"typeName": "string",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false
},

  {"name": "last_4",
"typeName": "boolean",
"isOptional": true,
"cardinality": "SINGLE",
"valuesMinCount": 0,
"valuesMaxCount": 1,
"isUnique": false,
"isIndexable": false
}

],

"superTypes": [],
}

I have tagged 4 columns on foodmart.customer with test_pii_tag and set the following attributes:

lname (attribute string masking_type = "hash")

fname (attribute string masking_type = "nullify")

address1 (attribute boolean last_4 = true )

birthdate (attribute string masking_type = "year")

I created one Ranger tag policy and set the following deny setting for raj_ops:

Mask: Hive hash

if ( tagAttr.get('masking_type').equals("hash") ) {
	ctx.result = true;
   }

Mask: Hive nullify

if ( tagAttr.get('masking_type').equals("nullify") ) {
	ctx.result = true;
   }

Mask: Hive Date: show only year

if ( tagAttr.get('masking_type').equals("year") ) {
	ctx.result = true;
   }

Mask: Hive Partial mask show last 4

if ( tagAttr.get('last_4').equals("true") ) {
	ctx.result = true;
   }


-- I also tried the below with the same results

if ( tagAttr.get('last_4') ) {
	ctx.result = true;
   }

When I run SELECT * FROM customer LIMIT 100; I see the following:

lname is hashed - as expected

fname null - as expected

address1 is hashed - not as expected

birthdate yyyy-01-01 as expected


What is wrong with my javascript expressions to cause address1 to be hashed instead of 'Partial mask show last 4'?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Masking data in Ranger policy from Atlas tags

Contributor

I actually figured it out myself.

I needed to use the following JavaScript for the policy conditions:

tagAttr.masking_type=='hash'
tagAttr.masking_type=='nullify'
tagAttr.masking_type=='year'
tagAttr.last_4
2 REPLIES 2

Re: Masking data in Ranger policy from Atlas tags

Contributor

I actually figured it out myself.

I needed to use the following JavaScript for the policy conditions:

tagAttr.masking_type=='hash'
tagAttr.masking_type=='nullify'
tagAttr.masking_type=='year'
tagAttr.last_4

Re: Masking data in Ranger policy from Atlas tags

New Contributor

can we use the same on impala or hbase tables