ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "chuanjie.duan (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-2097) Hive Agent "user [test] does not have [USE] privilege on [test]" no when deny policy enabled
Date Mon, 07 May 2018 13:30:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

chuanjie.duan updated RANGER-2097:
----------------------------------
    Attachment: RANGER-2097.patch

> Hive Agent "user [test] does not have [USE] privilege on [test]" no when deny policy
enabled 
> ---------------------------------------------------------------------------------------------
>
>                 Key: RANGER-2097
>                 URL: https://issues.apache.org/jira/browse/RANGER-2097
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.6.3
>            Reporter: chuanjie.duan
>            Priority: Major
>         Attachments: RANGER-2097.patch
>
>
> Reproduce step:
> 1. Hive agent enable deny policy "\{"enableDenyAndExceptionsInPolicies":"true"}" in ranger
meta,
> 2. add policy "database:\{USER}, table:* column:* "
> 3. create user:test database:test in linux and hive
> 4. add deny policy "database:test, table:*, column:*, deny: \{group:public, action:drop}"
> 5.beeline connect to hive and "use test"
> 6. user [test] does not have [USE] privilege on [test]
>  
> Cause:
> RangerHiveAuthorizer.checkPrivileges
> if (hiveOpType == HiveOperationType.SHOWDATABASES) {
>  RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null);
>  RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups,
hiveOpType.name(), HiveAccessType.*{color:#ff0000}USE{color}*, context, sessionContext);
>  requests.add(request);
>  }
> RangerHiveAccessRequest.setHiveAccessType
> public void setHiveAccessType(HiveAccessType accessType) {
>  this.accessType = accessType;
> *{color:#ff0000}if(accessType == HiveAccessType.USE) {{color}*
>  *{color:#ff0000}this.setAccessType(RangerPolicyEngine.ANY_ACCESS);{color}*
>  else if(accessType == HiveAccessType.ADMIN)
> { this.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); }
> else
> { this.setAccessType(accessType.name().toLowerCase()); }
> }
> RangerDefaultPolicyItemEvaluator.matchAccessType
> any type would always return true, so my deny policy matched.
> RangerDefaultPolicyItemEvaluator.evaluatePolicyItems would try denyEvaluators first.
> So resource database matched test , user,group matched test, "matchedPolicyItem.getPolicyItemType()
== RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY"
> Finally return deny, same as "show databases", "show databases" would try "SHOWDATABASES"
and "use \{database}" one by one.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message