ranger-dev mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	Jiayi Liu <liujiayi...@gmail.com>
Subject	Re: Review Request 72647: RANGER-2896: show grant not display grant_time in hive plugin
Date	Tue, 07 Jul 2020 01:56:18 GMT
> On 七月 6, 2020, 3:05 p.m., Madhan Neethiraj wrote: > > Intrepretting policy create time as grant time is not correct. For example: multiple grants for the same database/table will update the same policy. Each grant could have been performed at different days/times. However, with the approach suggested in this patch, grant time for all will be shown the same - which is incorrect. I suggest to retain the current behavior (of showing 0 as the grant time), and claim that grant-time is unsupported with Ranger authorizer (instead of showing incorrect timestamps). I think you are right, I will close this review. - Jiayi ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72647/#review221134 ----------------------------------------------------------- On 七月 6, 2020, 6:53 a.m., Jiayi Liu wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72647/ > ----------------------------------------------------------- > > (Updated 七月 6, 2020, 6:53 a.m.) > > > Review request for ranger and Madhan Neethiraj. > > > Bugs: RANGER-2896 > https://issues.apache.org/jira/browse/RANGER-2896 > > > Repository: ranger > > > Description > ------- > > show grant can not display grant_time, because RANGER-836 pruned the content of policy download. > > When using show grant, grant_time will always be 0. > > ```bash > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+ > \| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \| > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+ > \| default \| * \| [] \| [] \| hadoop \| USER \| ALTER \| true \| 0 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| CREATE \| true \| 0 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| DROP \| true \| 0 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| INDEX \| true \| 0 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| LOCK \| true \| 0 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| READ \| true \| 0 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| SELECT \| true \| 0 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| UPDATE \| true \| 0 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| WRITE \| true \| 0 \| ranger \| > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+ > ``` > > In RangerHiveAuthorizer.createHivePrivilegeInfo function, it gets creationDate from policy.getCreateTime(). > > ```java > if (accessTypes.contains(aclName.toLowerCase()) && (users.contains(hivePrincipal.getName()) \|\| groups.contains(hivePrincipal.getName()))) { > creationDate = (policy.getCreateTime() == null) ? creationDate : (int) (policy.getCreateTime().getTime()/1000); > delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : policyItem.getDelegateAdmin().booleanValue(); > } > ``` > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java a09a35295 > > > Diff: https://reviews.apache.org/r/72647/diff/1/ > > > Testing > ------- > > show grant can display grant_time. > ```bash > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ > \| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \| > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ > \| default \| * \| [] \| [] \| hadoop \| USER \| ALTER \| true \| 1594004452000 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| CREATE \| true \| 1594004452000 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| DROP \| true \| 1594004452000 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| INDEX \| true \| 1594004452000 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| LOCK \| true \| 1594004452000 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| READ \| true \| 1594004452000 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| SELECT \| true \| 1594004452000 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| UPDATE \| true \| 1594004452000 \| ranger \| > \| default \| * \| [] \| [] \| hadoop \| USER \| WRITE \| true \| 1594004452000 \| ranger \| > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ > ``` > > > Thanks, > > Jiayi Liu > >
Mime	Unnamed multipart/alternative (inline, None, 0 bytes) Unnamed text/plain (inline, 8-Bit, 6004 bytes)
	View raw message