Re: Row level restriction in Apache Ranger

das_dineshk · ‎09-21-2017

I have a table which has 1 field as country.

I have another table with data having list of country name.

I want to give restriction to a user belongs to list of country name from tableB.

So I want to see only data belong to ID=4 from table A.

All the data matched between 2 tables needs to be restricted.

Can I do this using Apache Ranger ?

The query will be like this
"SELECT A.* FROM TableA AS A LEFT JOIN TableB AS B ON B.country = A.country AND B. IS NULL"

TableA
 ID           Account 			country
 1              Acc1			  US
 2              Acc2			  IND
 3              Acc3			  US
 4		Acc4			  RUS

 TableB
 Opp          country
 Opp1            US
 Opp2            IND
 Opp3            AUS
 Opp4		 NZL

ssahi · ‎09-21-2017

Hi @Dinesh Das

There is a feature for setting policies on resources accessed together. You may want to review this post, which walks you though setting it up (please note the API call required to enable the feature): https://community.hortonworks.com/articles/63664/how-to-create-a-ranger-policy-that-prohibits-combi....

das_dineshk · ‎09-22-2017

@Sonu Sahi

My question was how to restrict 1 table for multiple resource not only 2.

Like how you will restrict multiple location ( Bangalore,delhi,Mumbai ) for a person belongs to Hyderabad.

And Can we involve 2 tables and do the filteration ?

dsharma · ‎09-22-2017

there is feature available in ranger called Rowfilter and column masking in ranger that will help you

https://community.hortonworks.com/articles/58255/row-filter-and-column-masking.html

you can create row filter policy on your table

das_dineshk · ‎09-22-2017

@Deepak Sharma

am looking for giving more than one option.

In this case I want to restrict multiple location ( Bangalore,delhi,Mumbai )

dsharma · ‎09-22-2017

Sonu Sahi yes it is possible , so in row leve filter you can give a nested condition so for your use case it will be:

country not in (select country from TableB)

try out this!!