ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Madhan Neethiraj (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-930) Restricting Table names with the "Update" permission for HIVE does not work
Date Mon, 02 May 2016 03:06:12 GMT

    [ https://issues.apache.org/jira/browse/RANGER-930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15266080#comment-15266080
] 

Madhan Neethiraj commented on RANGER-930:
-----------------------------------------


Ranger authorizer is called to authorize QUERY on temporary table values__tmp__table__1 -
see the checkPrivilege() call details below. Hence Ranger requires an authorization policy
to allow the access.

[~thejas] how is this case (insert statement requiring SELECT on temporary tables) handled
in Hive's SQLStdAuthorizer? Do you require explicit grants?

'checkPrivileges':{'hiveOpType':QUERY, 'inputHObjs':['HivePrivilegeObject':{'type':TABLE_OR_VIEW,
'dbName':default, 'objectType':TABLE_OR_VIEW, 'objectName':values__tmp__table__1, 'columns':[tmp_values_col1,
tmp_values_col2], 'partKeys':[], 'commandParams':[], 'actionType':OTHER}], 'outputHObjs':['HivePrivilegeObject':{'type':TABLE_OR_VIEW,
'dbName':default, 'objectType':TABLE_OR_VIEW, 'objectName':testtable, 'columns':[], 'partKeys':[],
'commandParams':[], 'actionType':INSERT}], 'context':{'clientType':HIVESERVER2, 'commandString':insert
into testTable values(1, 'name #1'), 'ipAddress':127.0.0.1, 'sessionString':e6149e82-56c5-47e3-9b1f-0bf76a12ae18},
'user':hive, 'groups':[hadoop]}


> Restricting Table names with the "Update" permission for HIVE does not work
> ---------------------------------------------------------------------------
>
>                 Key: RANGER-930
>                 URL: https://issues.apache.org/jira/browse/RANGER-930
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.6.0
>            Reporter: Colm O hEigeartaigh
>            Assignee: Madhan Neethiraj
>            Priority: Blocker
>             Fix For: 0.6.0
>
>
> If I create a Ranger policy for a specific Table with "SELECT" + "UPDATE" permissions,
the user can't actually invoke an "insert" query in HIVE, e.g.:
> H110 Unable to submit statement. Error while compiling statement: FAILED: HiveAccessControlException
Permission denied: user [colm] does not have [SELECT] privilege on [default/values__tmp__table__3/tmp_values_col1,tmp_values_col2]
[ERROR_STATUS]
> It looks like there is an issue with access verification for temporary tables. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message