ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Qiang Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (RANGER-1712) Hive table was not inserted data after user created Hive Masking policy.
Date Tue, 25 Jul 2017 12:31:00 GMT
Qiang Zhang created RANGER-1712:
-----------------------------------

             Summary: Hive table was not inserted data after user created Hive Masking policy.
                 Key: RANGER-1712
                 URL: https://issues.apache.org/jira/browse/RANGER-1712
             Project: Ranger
          Issue Type: Bug
          Components: plugins
            Reporter: Qiang Zhang
            Assignee: Qiang Zhang
            Priority: Critical


The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
segment 1:
if (isDataMaskEnabled(dataMaskResult)) {
    if(result == null) {
        result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(),
request);
    }
 
    result.setIsAllowed(false);  //set false
    result.setPolicyId(dataMaskResult.getPolicyId());
    result.setReason("User does not have acces to unmasked column values");
}
segment 2:
if(result == null || !result.getIsAllowed()) { //result.getIsAllowed() must equal to false.
So the logic is error.
    String path = resource.getAsString();
    path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType);
    throw new HiveAccessControlException(String.format("Permission denied: user [%s] does
not have [%s] privilege on [%s]",
         user, request.getHiveAccessType().name(), path));
}
The error reason is as following:
The result.setIsAllowed(false) was call in segment 1. So The result.getIsAllowed() must equal
to false. This is a error.


 1.Scenarios 
create database cust; 
use cust; 

create table customer(id int,name_first string,name_last string,addr_country string, data_of_birth
date, phone_num string)ROW FORMAT DELIMITED
FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;

insert into customer values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');

Result:insert sucess

 1):First create hive Access policy  users:mr have acess to all privilege to database(cust)
and table(customer) and columns(*); (see Acess.png in detail)
 
 insert into customer values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
 
 Result:insert sucess
 
 2)Second create Masking policy on cust.customer.name_first  (see Masking.png in detail)
 insert into customer values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
 Result: Error: Error while compiling statement: FAILED: HiveAccessControlException Permission
 denied: user [glc] does not have [UPDATE] privilege on [cust/customer] (state=42000,code=40000)
  
 3.Solution:
 Modify RangerHiveAuthorizer.java 
 change from "result.setIsAllowed(false);
							result.setPolicyId(dataMaskResult.getPolicyId());
							result.setReason("User does not have acces to unmasked column values");"
 to 
 "result.setIsAllowed(dataMaskResult.getIsAllowed());
							result.setPolicyId(dataMaskResult.getPolicyId());
							if(!dataMaskResult.getIsAllowed()){
							result.setReason("User does not have acces to unmasked column values");
							}"



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message