Row-level filtering in Impala with Ranger policies
Row-level filtering policies are similar to other Ranger access policies. Apache Ranger row-level filtering policy allows to set access policies for rows when reading from a table.
You can use Apache Ranger row-level filtering policies to set access policies for rows when
reading from a table. You can set filters for specific users, groups, and conditions. This
release adds a new feature flag enable_row_filtering
which is set to be true by
default. To enable row-filtering feature you must have set the column masking flag
enable_column_masking
to true since the row-level filtering depends on the
column masking implementation. You can use this flag enable_row_filtering
to
disable this feature as required.
The following limitations apply when using row-level filters:
-
Row filtering policies on nested tables can't be applied when nested collection columns(e.g. array, map columns) are used directly in the FROM clause. Such queries are currently forbidden.
This is an example of the currently supported version of a query on the table my_tbl (id int, int_array array<int>) that has a row filter "id = 0".
select a.item from my_tbl t, t.int_array a
However an equivalent query below is not currently supported since it uses the int_array column non-relatively.
select item from my_tbl.int_array
Such queries are forbidden and you must rewrite them to the supported format until further notice.
For information on the steps to set the row-level filtering using Apache Ranger, see the link provided under Related Information.