Apache Doris provides three mechanisms, Row Policy, Column Permission, and Data Masking, to help administrators enforce fine-grained access control over sensitive data across rows, columns, and field content. This document covers how these mechanisms work, their limitations, and typical examples.
| Scenario | Recommended mechanism | Description |
|---|---|---|
| Different users can only see some rows of a table (for example, isolation by region, tenant, or department) | Row Policy | Automatically appends a filter predicate to the query |
| Different users can only access some columns of a table (for example, hiding salary or phone number columns) | Column Permission | Grants Select_priv only on the specified columns |
Sensitive fields need to be partially hidden or replaced (for example, displaying an ID card or bank card number as ***) | Data Masking | Configure a masking policy through Apache Ranger |
GRANT privilege).root and admin.With row-level policies in Doris, you can apply fine-grained access control to sensitive data. Based on the security policies defined at the table level, you can decide which users or roles can access specific records in a table.
For a user configured with a Row Policy, Doris automatically appends the predicate defined in the Row Policy to the query.
root and admin.Restrict user test to only query rows in table1 where c1='a':
CREATE ROW POLICY test_row_policy_1 ON test.table1 AS RESTRICTIVE TO test USING (c1 = 'a');
With column permissions in Doris, you can apply fine-grained access control to tables. You can grant permissions on specific columns of a table only, to decide which users or roles can access those columns.
Currently, column permissions only support Select_priv.
Grant user1 the privilege to query columns col1 and col2 in table tbl:
GRANT Select_priv(col1,col2) ON ctl.db.tbl TO user1
Data masking is a method for protecting sensitive data. It modifies, replaces, or hides the original data so that the masked data keeps a certain format and characteristics while no longer containing sensitive information.
For example, an administrator can replace part or all of the digits of sensitive fields such as credit card numbers and ID card numbers with asterisks * or other characters, or replace real names with pseudonyms.
Starting from version 2.1.2, Doris supports setting masking policies on columns through Apache Ranger Data Masking. This is currently the only supported configuration path, available via Apache Ranger.
Data masking does not take effect for the
adminorrootuser.
root or admin user, but it did not take effect.None of the three mechanisms take effect on the default superusers root and admin. Use a regular business user for verification.
Column permissions currently only support Select_priv. Confirm that the grant statement uses this privilege and that the grant target is the intended Catalog, database, or table.
Data masking must be configured through Apache Ranger and requires Doris version 2.1.2 or later. Confirm that the Ranger integration is complete, the policy is active, and the current user is not root or admin.