ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Qiang Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-1712) Hive table was not inserted data after user created Hive Masking policy.
Date Tue, 25 Jul 2017 12:43:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Qiang Zhang updated RANGER-1712:
--------------------------------
    Description: 
The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
segment 1:
if (isDataMaskEnabled(dataMaskResult)) {
    if(result == null) {
        result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(),
request);
    }
 
    result.setIsAllowed(false);  //set false
    result.setPolicyId(dataMaskResult.getPolicyId());
    result.setReason("User does not have acces to unmasked column values");
}
segment 2:
if(result == null || !result.getIsAllowed()) { //result.getIsAllowed() must equal to false.
So the logic is error. The program logic will always go to the following code segment.
    String path = resource.getAsString();
    path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType);
    throw new HiveAccessControlException(String.format("Permission denied: user [%s] does
not have [%s] privilege on [%s]",
         user, request.getHiveAccessType().name(), path));
}
The error reason is as following:
The result.setIsAllowed(false) was call in segment 1. So The result.getIsAllowed() must equal
to false in segment 2. This is a error.


 1.Scenarios 
create database cust; 
use cust; 

create table customer(id int,name_first string,name_last string,addr_country string, data_of_birth
date, phone_num string)ROW FORMAT DELIMITED
FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;

insert into customer values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');

Result:insert sucess

 1):First create hive Access policy  users:mr have acess to all privilege to database(cust)
and table(customer) and columns(*); (see Acess.png in detail)
 
 insert into customer values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
 
 Result:insert sucess
 
 2)Second create Masking policy on cust.customer.name_first  (see Masking.png in detail)
 insert into customer values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
 Result: Error: Error while compiling statement: FAILED: HiveAccessControlException Permission
 denied: user [glc] does not have [UPDATE] privilege on [cust/customer] (state=42000,code=40000)
  
 3.Solution:
 Modify RangerHiveAuthorizer.java 
 change from "result.setIsAllowed(false);
							result.setPolicyId(dataMaskResult.getPolicyId());
							result.setReason("User does not have acces to unmasked column values");"
 to 
 "result.setIsAllowed(dataMaskResult.getIsAllowed());
							result.setPolicyId(dataMaskResult.getPolicyId());
							if(!dataMaskResult.getIsAllowed()){
							result.setReason("User does not have acces to unmasked column values");
							}"

  was:
The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
segment 1:
if (isDataMaskEnabled(dataMaskResult)) {
    if(result == null) {
        result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(),
request);
    }
 
    result.setIsAllowed(false);  //set false
    result.setPolicyId(dataMaskResult.getPolicyId());
    result.setReason("User does not have acces to unmasked column values");
}
segment 2:
if(result == null || !result.getIsAllowed()) { //result.getIsAllowed() must equal to false.
So the logic is error. The program logic will always go to the following code segment.
    String path = resource.getAsString();
    path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType);
    throw new HiveAccessControlException(String.format("Permission denied: user [%s] does
not have [%s] privilege on [%s]",
         user, request.getHiveAccessType().name(), path));
}
The error reason is as following:
The result.setIsAllowed(false) was call in segment 1. So The result.getIsAllowed() must equal
to false. This is a error.


 1.Scenarios 
create database cust; 
use cust; 

create table customer(id int,name_first string,name_last string,addr_country string, data_of_birth
date, phone_num string)ROW FORMAT DELIMITED
FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;

insert into customer values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');

Result:insert sucess

 1):First create hive Access policy  users:mr have acess to all privilege to database(cust)
and table(customer) and columns(*); (see Acess.png in detail)
 
 insert into customer values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
 
 Result:insert sucess
 
 2)Second create Masking policy on cust.customer.name_first  (see Masking.png in detail)
 insert into customer values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
 Result: Error: Error while compiling statement: FAILED: HiveAccessControlException Permission
 denied: user [glc] does not have [UPDATE] privilege on [cust/customer] (state=42000,code=40000)
  
 3.Solution:
 Modify RangerHiveAuthorizer.java 
 change from "result.setIsAllowed(false);
							result.setPolicyId(dataMaskResult.getPolicyId());
							result.setReason("User does not have acces to unmasked column values");"
 to 
 "result.setIsAllowed(dataMaskResult.getIsAllowed());
							result.setPolicyId(dataMaskResult.getPolicyId());
							if(!dataMaskResult.getIsAllowed()){
							result.setReason("User does not have acces to unmasked column values");
							}"


> Hive table was not inserted data after user created Hive Masking policy.
> ------------------------------------------------------------------------
>
>                 Key: RANGER-1712
>                 URL: https://issues.apache.org/jira/browse/RANGER-1712
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>            Reporter: Qiang Zhang
>            Assignee: Qiang Zhang
>            Priority: Critical
>              Labels: patch
>         Attachments: 0001-RANGER-1712-Hive-table-was-not-inserted-data-after-u.patch,
Access.png, masking.png
>
>
> The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
> segment 1:
> if (isDataMaskEnabled(dataMaskResult)) {
>     if(result == null) {
>         result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(),
request);
>     }
>  
>     result.setIsAllowed(false);  //set false
>     result.setPolicyId(dataMaskResult.getPolicyId());
>     result.setReason("User does not have acces to unmasked column values");
> }
> segment 2:
> if(result == null || !result.getIsAllowed()) { //result.getIsAllowed() must equal to
false. So the logic is error. The program logic will always go to the following code segment.
>     String path = resource.getAsString();
>     path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType);
>     throw new HiveAccessControlException(String.format("Permission denied: user [%s]
does not have [%s] privilege on [%s]",
>          user, request.getHiveAccessType().name(), path));
> }
> The error reason is as following:
> The result.setIsAllowed(false) was call in segment 1. So The result.getIsAllowed() must
equal to false in segment 2. This is a error.
>  1.Scenarios 
> create database cust; 
> use cust; 
> create table customer(id int,name_first string,name_last string,addr_country string,
data_of_birth date, phone_num string)ROW FORMAT DELIMITED
> FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;
> insert into customer values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');
> Result:insert sucess
>  1):First create hive Access policy  users:mr have acess to all privilege to database(cust)
and table(customer) and columns(*); (see Acess.png in detail)
>  
>  insert into customer values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
>  
>  Result:insert sucess
>  
>  2)Second create Masking policy on cust.customer.name_first  (see Masking.png in detail)
>  insert into customer values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
>  Result: Error: Error while compiling statement: FAILED: HiveAccessControlException Permission
 denied: user [glc] does not have [UPDATE] privilege on [cust/customer] (state=42000,code=40000)
>   
>  3.Solution:
>  Modify RangerHiveAuthorizer.java 
>  change from "result.setIsAllowed(false);
> 							result.setPolicyId(dataMaskResult.getPolicyId());
> 							result.setReason("User does not have acces to unmasked column values");"
>  to 
>  "result.setIsAllowed(dataMaskResult.getIsAllowed());
> 							result.setPolicyId(dataMaskResult.getPolicyId());
> 							if(!dataMaskResult.getIsAllowed()){
> 							result.setReason("User does not have acces to unmasked column values");
> 							}"



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message