tooptoop4 edited a comment on issue #36: [RANGER-2395] Add Presto plugin
URL: https://github.com/apache/ranger/pull/36#issuecomment-570348580
some fixes:
https://github.com/apache/ranger/blob/master/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java#L130
change checkCanSetSystemSessionProperty to have a dummy IF condition that always results in
false so that session properties are never denied
https://github.com/apache/ranger/blob/master/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java#L116
change checkCanSetUser to have an IF condition (principal does not equal userName) then accessDenied.
This is critical so that users can't impersonate the privileges of another user
public void checkCanSetUser(final Optional<Principal> principal, final String userName)
{
final String loweruserName = userName.toLowerCase();
RangerSystemAccessControl.LOG.info("==> RangerSystemAccessControl.checkCanSetUser(userName="
+ loweruserName + ")");
if (principal.isPresent()) {
final String principalName = principal.get().getName().toLowerCase();
RangerSystemAccessControl.LOG.info("==> RangerSystemAccessControl.checkCanSetUser(principalName="
+ principalName + ")");
if (!loweruserName.equals(principalName)) {
AccessDeniedException.denySetUser((Optional)principal, userName);
}
}
}
https://github.com/prestodb/presto/issues/13394 remove deny in presto code
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
|