ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jiayi Liu <liujiayi...@gmail.com>
Subject Re: Review Request 72647: RANGER-2896: show grant not display grant_time in hive plugin
Date Tue, 07 Jul 2020 01:56:18 GMT


> On 七月 6, 2020, 3:05 p.m., Madhan Neethiraj wrote:
> > Intrepretting policy create time as grant time is not correct. For example: multiple
grants for the same database/table will update the same policy. Each grant could have been
performed at different days/times. However, with the approach suggested in this patch, grant
time for all will be shown the same - which is incorrect. I suggest to retain the current
behavior (of showing 0 as the grant time), and claim that grant-time is unsupported with Ranger
authorizer (instead of showing incorrect timestamps).

I think you are right, I will close this review.


- Jiayi


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72647/#review221134
-----------------------------------------------------------


On 七月 6, 2020, 6:53 a.m., Jiayi Liu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72647/
> -----------------------------------------------------------
> 
> (Updated 七月 6, 2020, 6:53 a.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-2896
>     https://issues.apache.org/jira/browse/RANGER-2896
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> show grant can not display grant_time, because RANGER-836 pruned the content of policy
download.
> 
> When using show grant, grant_time will always be 0.
> 
> ```bash
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> | database  | table  | partition  | column  | principal_name  | principal_type  | privilege
 | grant_option  | grant_time  | grantor  |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> | default   | *      | []         | []      | hadoop          | USER            | ALTER
     | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | CREATE
    | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | DROP
      | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | INDEX
     | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | LOCK
      | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | READ
      | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | SELECT
    | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | UPDATE
    | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | WRITE
     | true          | 0           | ranger   |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> ```
> 
> In RangerHiveAuthorizer.createHivePrivilegeInfo function, it gets creationDate from policy.getCreateTime().
> 
> ```java
> if (accessTypes.contains(aclName.toLowerCase()) && (users.contains(hivePrincipal.getName())
|| groups.contains(hivePrincipal.getName()))) {
>     creationDate = (policy.getCreateTime() == null) ? creationDate : (int) (policy.getCreateTime().getTime()/1000);
>     delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : policyItem.getDelegateAdmin().booleanValue();
> }
> ```
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
a09a35295 
> 
> 
> Diff: https://reviews.apache.org/r/72647/diff/1/
> 
> 
> Testing
> -------
> 
> show grant can display grant_time.
> ```bash
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
> | database  | table  | partition  | column  | principal_name  | principal_type  | privilege
 | grant_option  |   grant_time   | grantor  |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
> | default   | *      | []         | []      | hadoop          | USER            | ALTER
     | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | CREATE
    | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | DROP
      | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | INDEX
     | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | LOCK
      | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | READ
      | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | SELECT
    | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | UPDATE
    | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER            | WRITE
     | true          | 1594004452000  | ranger   |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
> ```
> 
> 
> Thanks,
> 
> Jiayi Liu
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message