[Feature] add data mask policy docs

Author: garenshi

docs/admin-manual/auth/authorization/data.md

@@ -52,6 +52,22 @@ Data masking is a method to protect sensitive data by modifying, replacing, or h
 
 For example, administrators can choose to replace part or all of the digits of sensitive fields such as credit card numbers or ID numbers with asterisks * or other characters, or replace real names with pseudonyms.
 
-Starting from version 2.1.2, data masking is supported through Apache Ranger's Data Masking to set masking policies for certain columns, currently only through [Apache Ranger](ranger.md).
+Currently, data masking policies can be configured in two ways:
+
+### 1. Doris Built-in Data Masking Policies
+### Related Commands
+- Create a data masking policy [CREATE DATA MASK POLICY](../../../sql-manual/sql-statements/data-governance/CREATE-DATA-MASK-POLICY)
+- View data masking policies [SHOW DATA MASK POLICY](../../../sql-manual/sql-statements/data-governance/SHOW-DATA-MASK-POLICY)
+- Drop a data masking policy [DROP DATA MASK POLICY](../../../sql-manual/sql-statements/data-governance/DROP-DATA-MASK-POLICY)
+### Data Masking Policy Example
+1. Apply the MASK_HASH policy to the t1.c1 column for the test user
+
+```sql
+CREATE DATA MASK POLICY test_policy_1 ON t1.c1
+TO test USING MASK_HASH;
+```
+### 2. External Configuration via Apache Ranger
+
+Starting from version 2.1.2, data masking policies can be configured for specific columns through Apache Ranger Data Masking. For details, refer to： [Apache Ranger](./ranger)
 
 > Data Masking settings for admin/root users will not take effect.

docs/sql-manual/sql-statements/data-governance/CREATE-DATA-MASK-POLICY.md

@@ -0,0 +1,80 @@
+---
+{
+    "title": "CREATE DATA MASK POLICY",
+    "language": "en",
+    "description": "Explain can view the rewritten execution plan."
+}
+---
+
+## Description
+
+Explain can view the rewritten execution plan. 
+
+## Syntax
+
+```sql
+CREATE DATA MASK POLICY [ IF NOT EXISTS ] <policy_name> 
+ON <col_name> 
+TO { <user_name> | ROLE <role_name> } 
+USING <mask_type> [LEVEL <priority>];
+```
+## Required Parameters
+
+**<policy_name>**
+
+> column data mask policy name
+
+**<col_name>**
+
+> column name
+
+## Optional Parameters
+
+**<user_name>**
+
+> User name, cannot be created for root and admin users
+
+**<role_name>**
+
+> Role name
+
+**<mask_type>**
+
+> Data mask type. see MASK_TYPE list
+
+## Access Control Requirements
+
+The user executing this SQL command must have at least the following privileges:
+
+| Privilege                | Object | Notes |
+| ------------------------ | ------ | ----- |
+| ADMIN_PRIV or GRANT_PRIV | Global |       |
+
+## MASK_TYPE
+
+| Name                | Meaning                                                         | Expression                                                                                       |
+|:--------------------|:----------------------------------------------------------------|:-------------------------------------------------------------------------------------------------|
+| MASK_REDACT         | Replace lowercase with 'x', uppercase with 'X', digits with '0' | regexp_replace(regexp_replace(regexp_replace({col},'([A-Z])', 'X'),'([a-z])','x'),'([0-9])','0') |
+| MASK_SHOW_LAST_4    | Show last 4 characters; replace rest with 'X'                   | LPAD(RIGHT({col}, 4), CHAR_LENGTH({col}), 'X')                                                   |
+| MASK_SHOW_FIRST_4   | Show first 4 characters; replace rest with 'X'                  | RPAD(LEFT({col}, 4), CHAR_LENGTH({col}), 'X')                                                    |
+| MASK_HASH           | Hash the value of a varchar with sha256                         | hex(sha2({col}, 256))                                                                            |
+| MASK_NULL           | Replace with NULL                                               | NULL                                                                                             |
+| MASK_DATE_SHOW_YEAR | Date: show only year                                            | date_trunc({col}, 'year')                                                                        |
+| MASK_DEFAULT        | Replace with data type default                                  |                                                                                                  |
+| MASK_NONE           | Keep it as it is                                                |                                                                                                  |
+
+
+## Examples
+
+1. Create a set of data mask policies
+
+  ```sql
+    CREATE DATA MASK POLICY test_policy_1 ON internal.test.t1.c1
+    TO jack USING MASK_HASH;
+    
+    CREATE DATA MASK POLICY test_policy_2 ON internal.test.t1.c2
+    TO Role r1 USING MASK_NULL;
+    
+    CREATE DATA MASK POLICY test_policy_3 ON internal.test.t1.c1
+    TO jack USING MASK_NONE LEVEL 1;
+  ```

docs/sql-manual/sql-statements/data-governance/DROP-DATA-MASK-POLICY.md

@@ -0,0 +1,40 @@
+---
+{
+    "title": "DROP DATA MASK POLICY",
+    "language": "en",
+    "description": "Delete data mask policy. For details about data mask policies, please refer to the \"Security Policies\" chapter"
+}
+---
+
+## Description
+
+Delete data mask policy. For details about data mask policies, please refer to the "Security Policies" chapter
+
+
+## Syntax
+
+```sql
+DROP DATA MASK POLICY [IF EXISTS] <policy_name>;
+```
+
+## Required Parameters
+**<policy_name>**
+
+> Data mask policy name
+
+# Access Control Requirements (Access Control Requirements)
+
+The user executing this SQL command must have at least the following privileges:
+
+| Privilege                  | Object | Notes |
+| :------------------------- | :----- | :---- |
+| ADMIN_PRIV or *GRANT_PRIV* | Global |       |
+
+# Examples (Examples)
+
+1. Delete the *policy1 data mask policy* 
+
+  ```sql
+  DROP DATA MASK POLICY policy1
+  ```
+

docs/sql-manual/sql-statements/data-governance/SHOW-DATA-MASK-POLICY.md

@@ -0,0 +1,55 @@
+---
+{
+    "title": "SHOW DATA MASK POLICY",
+    "language": "en",
+    "description": "View data mask policies. For details on data mask policies, refer to the \"Security Policies\" chapter"
+}
+---
+
+## Description
+
+View data mask policies. For details on data mask policies, refer to the "Security Policies" chapter
+
+## Syntax
+
+```sql
+SHOW DATA MASK POLICY [ FOR { <user_name> | ROLE <role_name> } ];
+```
+## Optional Parameters
+
+**<user_name>**
+
+> User name
+
+**<role_name>**
+
+> Role name
+
+## Access Control Requirements
+
+The user executing this SQL command must have at least the following privileges:
+
+| Privilege  | Object | Notes |
+| :--------- | :----- | :---- |
+| ADMIN_PRIV | Global |       |
+
+## Examples
+
+1. View all data mask policies
+
+
+  ```sql
+  SHOW DATA MASK POLICY;
+  ```
+
+1. Query by specifying a user name
+
+  ```sql
+  SHOW DATA MASK POLICY FOR user1;
+  ```
+
+1. Query by specifying a role name
+
+  ```sql
+  SHOW DATA MASK POLICY for role role1;
+  ```

i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authorization/data.md

@@ -49,6 +49,22 @@ GRANT Select_priv(col1,col2) ON ctl.db.tbl TO user1
 
 例如，管理员可以选择将信用卡号、身份证号等敏感字段的部分或全部数字替换为星号 * 或其他字符，或者将真实姓名替换为假名。
 
-从 2.1.2 版本开始，支持通过 Apache Ranger 的 Data Masking 来为某些列设置脱敏策略，目前仅支持通过 [Apache Ranger](./ranger)来设置
+目前可以通过两种方式设置数据脱敏策略 
+
+### 1. Doris 内置脱敏策略
+### 相关命令
+- 创建脱敏限策略 [CREATE DATA MASK POLICY](../../../sql-manual/sql-statements/data-governance/CREATE-DATA-MASK-POLICY)
+- 查看脱敏策略 [SHOW DATA MASK POLICY](../../../sql-manual/sql-statements/data-governance/SHOW-DATA-MASK-POLICY)
+- 删除脱敏策略 [DROP DATA MASK POLICY](../../../sql-manual/sql-statements/data-governance/DROP-DATA-MASK-POLICY)
+### 脱敏策略示例
+1.  test 用户查询 t1.c1 列的时候使用 MASK_HASH 策略
+
+```sql
+CREATE DATA MASK POLICY test_policy_1 ON t1.c1
+TO test USING MASK_HASH;
+```
+### 2. Apache Ranger 外部设置
+
+从 2.1.2 版本开始，支持通过 Apache Ranger 的 Data Masking 来为某些列设置脱敏策略。详见： [Apache Ranger](./ranger)
 
 > 为 admin/root 用户设置数据脱敏不会生效

i18n/zh-CN/docusaurus-plugin-content-docs/current/sql-manual/sql-statements/data-governance/CREATE-DATA-MASK-POLICY.md

@@ -0,0 +1,72 @@
+---
+{
+    "title": "CREATE DATA MASK POLICY",
+    "language": "zh-CN",
+    "description": "创建列脱敏策略，Explain 可以查看改写后的执行计划。"
+}
+---
+
+## 描述
+
+创建列脱敏策略，Explain 可以查看改写后的执行计划。
+
+## 语法
+
+```sql
+CREATE DATA MASK POLICY [ IF NOT EXISTS ] <policy_name> 
+ON <col_name> 
+TO { <user_name> | ROLE <role_name> } 
+USING <mask_type> [LEVEL <priority>];
+```
+
+## 必选参数
+
+1. `<policy_name>`: 列脱敏策略名称
+
+2. `<col_name>`: 列名称
+
+3. `<mask_type>`: 具体的脱敏类型，见：MASK_TYPE 列表
+
+## 可选参数
+
+1. `<user_name>`: 用户名称，不允许对 root 和 admin 用户创建
+
+2. `<role_name>`: 角色名称
+
+3. `<priority>`: 脱敏优先级，默认为 0，如果某个列有多个脱敏策略，值越大，优先级越高
+
+## 权限控制
+
+执行此 SQL 命令的用户必须至少具有以下权限：
+
+| 权限（Privilege）          | 对象（Object） | 说明（Notes） |
+| :------------------------- | :------------- | :------------ |
+| ADMIN_PRIV 或 *GRANT_PRIV* | 全局           |               |
+
+## MASK_TYPE
+| 名称                        | 含义                            | 表达式                                                                                                |
+|:--------------------------|:------------------------------|:---------------------------------------------------------------------------------------------------|
+| MASK_REDACT | 写字母用 x 代替，大写字母用 X 代替，数字用 0 代替 | regexp_replace(regexp_replace(regexp_replace({col},'([A-Z])', 'X'),'([a-z])','x'),'([0-9])','0')   |
+| MASK_SHOW_LAST_4 | 只显示最后4个字符，其他用 X 代替            | LPAD(RIGHT({col}, 4), CHAR_LENGTH({col}), 'X')                                                     |
+| MASK_SHOW_FIRST_4 | 只显示前4个字符，其他用 X 代替             | RPAD(LEFT({col}, 4), CHAR_LENGTH({col}), 'X')                                                      |
+| MASK_HASH | 使用 sha256 对值进行 hash           |    hex(sha2({col}, 256))           |
+| MASK_NULL | 使用 NULL 对值进行覆盖                |    NULL           |
+| MASK_DATE_SHOW_YEAR | 对日期类型，只显示年份                   |    date_trunc({col}, 'year')           |
+| MASK_DEFAULT | 显示字段类型的默认值                    |               |
+| MASK_NONE | 保持原样                          |               |
+
+## 示例
+
+1. 创建一组行安全策略
+
+    ```sql
+    CREATE DATA MASK POLICY test_policy_1 ON internal.test.t1.c1
+    TO jack USING MASK_HASH;
+    
+    CREATE DATA MASK POLICY test_policy_2 ON internal.test.t1.c2
+    TO Role r1 USING MASK_NULL;
+    
+    CREATE DATA MASK POLICY test_policy_3 ON internal.test.t1.c1
+    TO jack USING MASK_NONE LEVEL 1;
+   
+    ```

i18n/zh-CN/docusaurus-plugin-content-docs/current/sql-manual/sql-statements/data-governance/DROP-DATA-MASK-POLICY.md

@@ -0,0 +1,37 @@
+---
+{
+    "title": "DROP DATA MASK POLICY",
+    "language": "zh-CN",
+    "description": "删除列脱敏策略。"
+}
+---
+
+## 描述
+删除列脱敏策略。
+
+## 语法
+
+```sql
+DROP ROW POLICY [IF EXISTS] <policy_name>;
+```
+
+## 必选参数
+
+1. `<policy_name>`: 列脱敏策略名称
+
+
+## 权限控制
+
+执行此 SQL 命令的用户必须至少具有以下权限：
+
+| 权限（Privilege）          | 对象（Object） | 说明（Notes） |
+| :------------------------- | :------------- | :------------ |
+| ADMIN_PRIV 或 *GRANT_PRIV* | 全局           |               |
+
+## 示例
+
+1. 删除 *policy1 列脱敏策略*
+
+    ```sql
+    DROP DATA MASK POLICY policy1
+    ```

i18n/zh-CN/docusaurus-plugin-content-docs/current/sql-manual/sql-statements/data-governance/SHOW-DATA-MASK-POLICY.md

@@ -0,0 +1,51 @@
+---
+{
+    "title": "SHOW DATA MASK POLICY",
+    "language": "zh-CN",
+    "description": "查看列脱敏策略。"
+}
+---
+
+## 描述
+
+查看列脱敏策略。
+
+## 语法
+
+```sql
+SHOW DATA MASK POLICY [ FOR { <user_name> | ROLE <role_name> } ];
+```
+
+## 可选参数
+
+1. `<user_name>`: 用户名称
+
+2. `<role_name>`: 角色名称
+
+## 权限控制
+
+执行此 SQL 命令的用户必须至少具有以下权限：
+
+| 权限（Privilege） | 对象（Object） | 说明（Notes） |
+| :---------------- | :------------- | :------------ |
+| ADMIN_PRIV        | 全局           |               |
+
+## 示例
+
+1. 查看所有安全策略
+
+    ```sql
+    SHOW DATA MASK POLICY;
+    ```
+
+2. 指定用户名查询
+
+    ```sql
+    SHOW DATA MASK POLICY FOR user1;
+    ```
+
+3. 指定角色名查询
+
+    ```sql
+    SHOW DATA MASK POLICY for role role1;
+    ```