Row-level filtering in Impala with Ranger policies

Row-level filtering policies are similar to other Ranger access policies. Apache Ranger row-level filtering policy allows to set access policies for rows when reading from a table.

You can use Apache Ranger row-level filtering policies to set access policies for rows when reading from a table. You can set filters for specific users, groups, and conditions. This release adds a new feature flag enable_row_filtering which is set to be true by default. To enable row-filtering feature you must have set the column masking flag enable_column_masking to true since the row-level filtering depends on the column masking implementation. You can use this flag enable_row_filtering to disable this feature as required.

The following limitations apply when using row-level filters:

  • Row filtering policies on nested tables can't be applied when nested collection columns(e.g. array, map columns) are used directly in the FROM clause. Such queries are currently forbidden.

    This is an example of the currently supported version of a query on the table my_tbl (id int, int_array array<int>) that has a row filter "id = 0".

    select a.item from my_tbl t, t.int_array a

    However an equivalent query below is not currently supported since it uses the int_array column non-relatively.

    select item from my_tbl.int_array

    Such queries are forbidden and you must rewrite them to the supported format until further notice.

  • For information on the steps to set the row-level filtering using Apache Ranger, see the link provided under Related Information.