ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pradeep Agrawal <pradeepagrawal8...@gmail.com>
Subject Re: Review Request 72429: RANGER-2763: Hive SET Role command in Ranger hive plugin
Date Mon, 27 Apr 2020 13:10:35 GMT


> On April 27, 2020, 6:14 a.m., Madhan Neethiraj wrote:
> > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
> > Lines 127 (patched)
> > <https://reviews.apache.org/r/72429/diff/1/?file=2227514#file2227514line127>
> >
> >     The user can pick only one role to the current-role, right? If user doesn't
specify any, then all roles assigned to the user (and user's groups) will be used to authorize
the access. So, I suggest to consider replacing:
> >       private List<String> currentRoles;
> >     
> >     with:
> >       private String useRole;
> >     
> >     
> >     In addition, it will be necessary to update policy evaluation to only use the
role specified in 'setRole()' to perform authorization. Please review and update.

The user can pick only one role to the current-role, right? 
Pradeep : Yes

If user doesn't specify any, then all roles assigned to the user (and user's groups) will
be used to authorize the access. 
Pradeep : Yes, but It seems "set role" command is based on the session level, not on the application
level. like if user logs out then his roles will be reset to whatever it was before login.
so I think we have to keep the list for roles. also before executing the "set role" command
"show current roles" command should list all the roles.
Implementation Reference : https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520


--
In addition, it will be necessary to update policy evaluation to only use the role specified
in 'setRole()' to perform authorization. Please review and update. 

Pradeep : will review and let you know. This implementation will also vary on above question's
answer.


- Pradeep


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72429/#review220495
-----------------------------------------------------------


On April 24, 2020, 2:17 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72429/
> -----------------------------------------------------------
> 
> (Updated April 24, 2020, 2:17 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad,
Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin
Galave, Nixon Rodrigues, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2763
>     https://issues.apache.org/jira/browse/RANGER-2763
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement:** Hive SET Role command is not supported in Ranger hive plugin
> Error message : setCurrentRole() not implemented in Ranger AbstractHiveAuthorizer
> 
> **Proposed Solution:** Added implementation as per https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520
> 
> However user's role list will not be fetched from Hivemetastore, rather it will be fetched
from Ranger admin.
> 
> Note: command "set role" may not generate any audit logs as of now. I could not test
the same as i dont have environment.
> 
> 
> Diffs
> -----
> 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
a6f74b95e 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
c752489ef 
> 
> 
> Diff: https://reviews.apache.org/r/72429/diff/1/
> 
> 
> Testing
> -------
> 
> With patch:
> 1) Added two roles in ranger admin "admin" and "public" and added hive user in that.

> 2) logged in from hive user in hive cli and executed command "show current roles"
> 3) output received "public"
> 4) executed command "set role admin" and command was executed successfully
> 5) executed command "show current roles"
> 6) output received "admin"
> 7) executed command "show roles"
> 8) command failed to execute as "hive" is not an admin in Ranger and only user having
"admin" role is ranger-admin can execute that.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message