ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jiayi Liu <liujiayi...@gmail.com>
Subject Re: Review Request 72642: RANGER-2893: show grant on database xxx will fail in ranger hive plugin
Date Sat, 04 Jul 2020 02:15:22 GMT


> On 七月 3, 2020, 5:06 p.m., Madhan Neethiraj wrote:
> > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
> > Line 2551 (original), 2551 (patched)
> > <https://reviews.apache.org/r/72642/diff/1/?file=2235348#file2235348line2551>
> >
> >     Please review if #2391 needs be updated to handle 'objectName==null', similar
to #2551.
> >       2391: hivePrivilegeObject = new HivePrivilegeObject(objectType, dbName, objectName);
> 
> Jiayi Liu wrote:
>     I think that in #2391, we do not need to consider the case of objectName==null. Here,
hivePrivilegeObject is to obtain the ACL corresponding to the Resource. objectName == null
will not affect the result of obtaining the ACL. If objectName == null, dbName != null, it
will correctly obtain the ACL of dbName, we set objectName to * but it will affect the correctness
of the result, because the name of no table is *.
>     
>     Setting objectName to * at #2551 is just for display. The privilegeObject at #2551
is only used to create a new HivePrivilegeInfo, and the role of HivePrivilegeInfo is only
to display the result of ACL.

If we don’t set objectName to *, it’s OK, but the table column in the result list will
be empty, which looks a bit strange. But it is also reasonable, what do you think?
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege
 | grant_option  | grant_time  | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
| default   |        | []         | []      | hadoop          | USER            | ALTER  
   | true          | 0           | ranger   |
| default   |        | []         | []      | hadoop          | USER            | CREATE 
   | true          | 0           | ranger   |
| default   |        | []         | []      | hadoop          | USER            | DROP   
   | true          | 0           | ranger   |
| default   |        | []         | []      | hadoop          | USER            | INDEX  
   | true          | 0           | ranger   |
| default   |        | []         | []      | hadoop          | USER            | LOCK   
   | true          | 0           | ranger   |
| default   |        | []         | []      | hadoop          | USER            | READ   
   | true          | 0           | ranger   |
| default   |        | []         | []      | hadoop          | USER            | SELECT 
   | true          | 0           | ranger   |
| default   |        | []         | []      | hadoop          | USER            | UPDATE 
   | true          | 0           | ranger   |
| default   |        | []         | []      | hadoop          | USER            | WRITE  
   | true          | 0           | ranger   |
| default   |        | []         | []      | hue             | USER            | SELECT 
   | false         | 0           | ranger   |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+


- Jiayi


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72642/#review221119
-----------------------------------------------------------


On 七月 3, 2020, 2:28 p.m., Jiayi Liu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72642/
> -----------------------------------------------------------
> 
> (Updated 七月 3, 2020, 2:28 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni,
Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja
Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2893
>     https://issues.apache.org/jira/browse/RANGER-2893
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When we enable Ranger Hive plugin, show grant at the database level will fail, and throw
the exception "RangerHiveAuthorizer.showPrivileges() only supports SHOW PRIVILEGES for Hive
resources and not user level". Although we are not showing grants at the user level, but at
the database level.
> 
> For example,
> ```sql
> show grant on database default;
> ```
> and the exception,
> ```bash
> ERROR : FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask.
RangerHiveAuthorizer.showPrivileges() error: RangerHiveAuthorizer.showPrivileges() only supports
SHOW PRIVILEGES for Hive resources and not user level
> ```
> 
> The reason is that the parameter privObj.objectName passed to RangerHiveAuthorizer.showPrivileges
is null when show grant at the datatabase level, and the exception "RangerHiveAuthorizer.showPrivileges()
only supports SHOW PRIVILEGES for Hive resources and not user level" will be thrown when objectName
is null. The function is normal when the type of privObj is TABLE, because the dbName is the
db name and the objectName is the table name.
> 
> We should check whether the dbName is null instead of check the objectName. We alse need
to fix the objectName to "*" when it is null to represent all tables in the db in HivePrivilegeInfo.
> 
> 
> Diffs
> -----
> 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
c8761108b 
> 
> 
> Diff: https://reviews.apache.org/r/72642/diff/1/
> 
> 
> Testing
> -------
> 
> show grant on database will correctly display privileges, and display '*' in table column
to represent all tables in a db.
> ```bash
> SHOW GRANT on database default;
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> | database  | table  | partition  | column  | principal_name  | principal_type  | privilege
 | grant_option  | grant_time  | grantor  |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> | default   | *      | []         | []      | hadoop          | USER            | ALTER
     | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | CREATE
    | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | DROP
      | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | INDEX
     | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | LOCK
      | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | READ
      | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | SELECT
    | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | UPDATE
    | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | WRITE
     | true          | 0           | ranger   |
> | default   | *      | []         | []      | hue             | USER            | SELECT
    | false         | 0           | ranger   |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> ```
> 
> 
> Thanks,
> 
> Jiayi Liu
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message