Enabling security through Row-Level Filtering and Column Masking
Row-level filtering and column masking is supported in HDP 2.5. This functionality allows you to filter rows from query results based on Apache Ranger policies and the ability to mask data in query results based on Apache Ranger policies.
Row-level filtering
To create row-level filtering, a new type of policy has been added to Apache Ranger: Row Level Filter. This filter is very similar to existing access policies and contains filters for specific users, groups, and conditions. The filter must be a valid WHERE clause for the table or view. Each table or view should have its own row-filter policy.
Filters are evaluated in order by priority. You can exclude users, groups, and conditions from row-filter.
Note | |
---|---|
Wilcard matching of the database or table is not supported. |
Column masking
To create column masking, a new type of policy has been added to Apache Ranger: Masking. This filter supports various types of masking including the following: show last 4 digits, show first 4 digits, hash, show only year, and NULL. You can pick the type of masking for specific users, groups, or conditions. Each column should have its own masking policy.
Masks are evaluated in the order that they are listed in the policy. You can exclude users, groups, or conditions from masking. HDP supports the addition of mask types through configuration and UDFs.
Note | |
---|---|
Wildcard matching of the database, table, or column is not supported. |
For information, refer to Row-level Filtering and Column Masking in Hive.