ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [ranger] tooptoop4 edited a comment on issue #36: [RANGER-2395] Add Presto plugin
Date Thu, 05 Mar 2020 10:40:32 GMT
tooptoop4 edited a comment on issue #36: [RANGER-2395] Add Presto plugin
URL: https://github.com/apache/ranger/pull/36#issuecomment-570348580
 
 
   some fixes:
   
   https://github.com/apache/ranger/blob/master/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java#L130
change checkCanSetSystemSessionProperty to have a dummy IF condition that always results in
false so that session properties are never denied
   
   
   
   https://github.com/apache/ranger/blob/master/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java#L116
change checkCanSetUser to have an IF condition (principal does not equal userName) then accessDenied.
This is critical so that users can't impersonate the privileges of another user
   
   public void checkCanSetUser(final Optional<Principal> principal, final String userName)
{
           final String loweruserName = userName.toLowerCase();
           RangerSystemAccessControl.LOG.info("==> RangerSystemAccessControl.checkCanSetUser(userName="
+ loweruserName + ")");
           if (principal.isPresent()) {
               final String principalName = principal.get().getName().toLowerCase();
               RangerSystemAccessControl.LOG.info("==> RangerSystemAccessControl.checkCanSetUser(principalName="
+ principalName + ")");
               if (!loweruserName.equals(principalName)) {
                   AccessDeniedException.denySetUser((Optional)principal, userName);
               }
           }
       }
   
   
   https://github.com/prestodb/presto/issues/13394 remove deny in presto code
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message