Data Access Control
Apache Doris provides three mechanisms, Row Policy, Column Permission, and Data Masking, to help administrators enforce fine-grained access control over sensitive data across rows, columns, and field content. This document covers how these mechanisms work, their limitations, and typical examples.
Applicable Scenarios
| Scenario | Recommended mechanism | Description |
|---|---|---|
| Different users can only see some rows of a table (for example, isolation by region, tenant, or department) | Row Policy | Automatically appends a filter predicate to the query |
| Different users can only access some columns of a table (for example, hiding salary or phone number columns) | Column Permission | Grants Select_priv only on the specified columns |
Sensitive fields need to be partially hidden or replaced (for example, displaying an ID card or bank card number as ***) | Data Masking | Configure a masking policy through Apache Ranger |
Prerequisites
- The current user has management permissions on the target object (such as the
GRANTprivilege). - Data masking depends on Apache Ranger. Complete the Ranger integration first (see Apache Ranger Authorization).
- None of the three mechanisms take effect on the default users
rootandadmin.
Row Policy
With row-level policies in Doris, you can apply fine-grained access control to sensitive data. Based on the security policies defined at the table level, you can decide which users or roles can access specific records in a table.
How It Works
For a user configured with a Row Policy, Doris automatically appends the predicate defined in the Row Policy to the query.
Limitations
- Row Policies cannot be set for the default users
rootandadmin.
Related Commands
- View row policies: SHOW ROW POLICY
- Create a row policy: CREATE ROW POLICY
Row Policy Examples
-
Restrict user
testto only query rows intable1wherec1='a':CREATE ROW POLICY test_row_policy_1 ON test.table1
AS RESTRICTIVE TO test USING (c1 = 'a');
Column Permission
With column permissions in Doris, you can apply fine-grained access control to tables. You can grant permissions on specific columns of a table only, to decide which users or roles can access those columns.
Currently, column permissions only support Select_priv.
Related Commands
Column Permission Examples
-
Grant
user1the privilege to query columnscol1andcol2in tabletbl:GRANT Select_priv(col1,col2) ON ctl.db.tbl TO user1
Data Masking
Data masking is a method for protecting sensitive data. It modifies, replaces, or hides the original data so that the masked data keeps a certain format and characteristics while no longer containing sensitive information.
For example, an administrator can replace part or all of the digits of sensitive fields such as credit card numbers and ID card numbers with asterisks * or other characters, or replace real names with pseudonyms.
Starting from version 2.1.2, Doris supports setting masking policies on columns through Apache Ranger Data Masking. This is currently the only supported configuration path, available via Apache Ranger.
Data masking does not take effect for the
adminorrootuser.
FAQ
Q: Row Policy or data masking was configured for the root or admin user, but it did not take effect.
None of the three mechanisms take effect on the default superusers root and admin. Use a regular business user for verification.
Q: After granting column permissions, queries still report insufficient privileges.
Column permissions currently only support Select_priv. Confirm that the grant statement uses this privilege and that the grant target is the intended Catalog, database, or table.
Q: The data masking policy did not take effect.
Data masking must be configured through Apache Ranger and requires Doris version 2.1.2 or later. Confirm that the Ranger integration is complete, the policy is active, and the current user is not root or admin.
