ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jiayi Liu <liujiayi...@gmail.com>
Subject Review Request 72642: RANGER-2893: show grant on database xxx will fail in ranger hive plugin
Date Fri, 03 Jul 2020 14:28:30 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72642/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan
Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu,
and Velmurugan Periasamy.


Bugs: RANGER-2893
    https://issues.apache.org/jira/browse/RANGER-2893


Repository: ranger


Description
-------

When we enable Ranger Hive plugin, show grant at the database level will fail, and throw the
exception "RangerHiveAuthorizer.showPrivileges() only supports SHOW PRIVILEGES for Hive resources
and not user level". Although we are not showing grants at the user level, but at the database
level.

For example,
```sql
show grant on database default;
```
and the exception,
```bash
ERROR : FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask.
RangerHiveAuthorizer.showPrivileges() error: RangerHiveAuthorizer.showPrivileges() only supports
SHOW PRIVILEGES for Hive resources and not user level
```

The reason is that the parameter privObj.objectName passed to RangerHiveAuthorizer.showPrivileges
is null when show grant at the datatabase level, and the exception "RangerHiveAuthorizer.showPrivileges()
only supports SHOW PRIVILEGES for Hive resources and not user level" will be thrown when objectName
is null. The function is normal when the type of privObj is TABLE, because the dbName is the
db name and the objectName is the table name.

We should check whether the dbName is null instead of check the objectName. We alse need to
fix the objectName to "*" when it is null to represent all tables in the db in HivePrivilegeInfo.


Diffs
-----

  hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
c8761108b 


Diff: https://reviews.apache.org/r/72642/diff/1/


Testing
-------

show grant on database will correctly display privileges, and display '*' in table column
to represent all tables in a db.
```bash
SHOW GRANT on database default;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege
 | grant_option  | grant_time  | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
| default   | *      | []         | []      | hadoop          | USER            | ALTER  
   | true          | 0           | ranger   |
| default   | *      | []         | []      | hadoop          | USER            | CREATE 
   | true          | 0           | ranger   |
| default   | *      | []         | []      | hadoop          | USER            | DROP   
   | true          | 0           | ranger   |
| default   | *      | []         | []      | hadoop          | USER            | INDEX  
   | true          | 0           | ranger   |
| default   | *      | []         | []      | hadoop          | USER            | LOCK   
   | true          | 0           | ranger   |
| default   | *      | []         | []      | hadoop          | USER            | READ   
   | true          | 0           | ranger   |
| default   | *      | []         | []      | hadoop          | USER            | SELECT 
   | true          | 0           | ranger   |
| default   | *      | []         | []      | hadoop          | USER            | UPDATE 
   | true          | 0           | ranger   |
| default   | *      | []         | []      | hadoop          | USER            | WRITE  
   | true          | 0           | ranger   |
| default   | *      | []         | []      | hue             | USER            | SELECT 
   | false         | 0           | ranger   |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
```


Thanks,

Jiayi Liu


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message