ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "chuanjie.duan (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-2097) Hive Agent "user [test] does not have [USE] privilege on [test]" no when deny policy enabled
Date Mon, 07 May 2018 09:57:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

chuanjie.duan updated RANGER-2097:
----------------------------------
    Description: 
Reproduce step:

1. Hive agent enable deny policy "\{"enableDenyAndExceptionsInPolicies":"true"}" in ranger
meta,

2. add policy "database:\{USER}, table:* column:* "

3. create user:test database:test in linux and hive

4. add deny policy "database:test, table:*, column:*, deny: \{group:public, action:drop}"

5.beeline connect to hive and "use test"

6. user [test] does not have [USE] privilege on [test]

 

Cause:

RangerHiveAuthorizer.checkPrivileges

if (hiveOpType == HiveOperationType.SHOWDATABASES) {
 RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null);
 RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(),
HiveAccessType.*{color:#FF0000}USE{color}*, context, sessionContext);
 requests.add(request);
 }

RangerHiveAccessRequest.setHiveAccessType

public void setHiveAccessType(HiveAccessType accessType) {
 this.accessType = accessType;

*{color:#FF0000}if(accessType == HiveAccessType.USE) {{color}*
 *{color:#FF0000}this.setAccessType(RangerPolicyEngine.ANY_ACCESS);{color}*
 *{color:#FF0000}}{color}* else if(accessType == HiveAccessType.ADMIN) {
 this.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
 } else {
 this.setAccessType(accessType.name().toLowerCase());
 }
 }

RangerDefaultPolicyItemEvaluator.matchAccessType

any type would always return true, so my deny policy matched.

RangerDefaultPolicyItemEvaluator.evaluatePolicyItems would try denyEvaluators first.

So resource database matched test , user,group matched test, "matchedPolicyItem.getPolicyItemType()
== RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY"

Finally return deny

  was:
Reproduce step:

1. Hive agent enable deny policy "\{"enableDenyAndExceptionsInPolicies":"true"}" in ranger
meta,

2. add policy "database:\{USER}, table:* column:* "

3. create user:test database:test in linux and hive

4. add deny policy "database:test, table:*, column:*, deny: \{group:public, action:drop}"

5.beeline connect to hive and "use test"

 


> Hive Agent "user [test] does not have [USE] privilege on [test]" no when deny policy
enabled 
> ---------------------------------------------------------------------------------------------
>
>                 Key: RANGER-2097
>                 URL: https://issues.apache.org/jira/browse/RANGER-2097
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.6.3
>            Reporter: chuanjie.duan
>            Priority: Major
>
> Reproduce step:
> 1. Hive agent enable deny policy "\{"enableDenyAndExceptionsInPolicies":"true"}" in ranger
meta,
> 2. add policy "database:\{USER}, table:* column:* "
> 3. create user:test database:test in linux and hive
> 4. add deny policy "database:test, table:*, column:*, deny: \{group:public, action:drop}"
> 5.beeline connect to hive and "use test"
> 6. user [test] does not have [USE] privilege on [test]
>  
> Cause:
> RangerHiveAuthorizer.checkPrivileges
> if (hiveOpType == HiveOperationType.SHOWDATABASES) {
>  RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null);
>  RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups,
hiveOpType.name(), HiveAccessType.*{color:#FF0000}USE{color}*, context, sessionContext);
>  requests.add(request);
>  }
> RangerHiveAccessRequest.setHiveAccessType
> public void setHiveAccessType(HiveAccessType accessType) {
>  this.accessType = accessType;
> *{color:#FF0000}if(accessType == HiveAccessType.USE) {{color}*
>  *{color:#FF0000}this.setAccessType(RangerPolicyEngine.ANY_ACCESS);{color}*
>  *{color:#FF0000}}{color}* else if(accessType == HiveAccessType.ADMIN) {
>  this.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
>  } else {
>  this.setAccessType(accessType.name().toLowerCase());
>  }
>  }
> RangerDefaultPolicyItemEvaluator.matchAccessType
> any type would always return true, so my deny policy matched.
> RangerDefaultPolicyItemEvaluator.evaluatePolicyItems would try denyEvaluators first.
> So resource database matched test , user,group matched test, "matchedPolicyItem.getPolicyItemType()
== RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY"
> Finally return deny



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message