ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pradeep Agrawal (Jira)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-2763) Hive SET Role command in Ranger hive plugin
Date Thu, 30 Apr 2020 10:32:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2763?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Pradeep Agrawal updated RANGER-2763:
------------------------------------
    Description: 
[https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization#SQLStandardBasedHiveAuthorization-UsersandRoles]

In the above mentioned link there is a "SET Role" command which seems not implemented yet
in Ranger hive plugin 

[https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L104]

 

If Ranger Hive plugin is enabled then execution of "set role" throws method not implemented
exception probably due to :

[https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java#L155]

 

Expected behavior after the patch :

Without Ranger ACL Use case :

1) create two roles let say role1 and role2

2) create one table table1 and insert a record.

3) grant select on the table1 to role1 and insert on the table1 to role2

4) create user testuser1 and give both role1 and role2 to user testuser1

5) login from user testuser1 and set role to role1 by using set role command

6) execute sql statement to select the records :  since role1 is having select grant user
will able to view the records.

7) execute insert statement to  add a record :  since role1 is not having insert privileges
and user has set current role to only role1 he would not able to insert the records.

8) now run the command set role and set the role to role2

9) execute insert statement to  add a record :  since role2 is having insert privileges
and user has set current role to only role2 he would able to insert the records.

10) execute sql statement to select the records :  since role2 is not having select permissions,
user will  not able to view the records.

11) logout and login again from same user and execute show current role command , both role
should be displayed. 

  was:
[https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization#SQLStandardBasedHiveAuthorization-UsersandRoles]

In the above mentioned link there is a "SET Role" command which seems not implemented yet
in Ranger hive plugin 

[https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L104]

 

If Ranger Hive plugin is enabled then execution of "set role" throws method not implemented
exception probably due to :

[https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java#L155]

 

Expected behavior after the patch :

Without Ranger ACL Use case :

1) create two roles let say role1 and role2

2) create one table table1 and insert a record.

3) grant select on the table1 to role1 and insert on the table1 to role2

4) create user testuser1 and give both role1 and role2 to user testuser1

5) login from user testuser1 and set role to role1 by using set role command

6) execute sql statement to select the records :  since role1 is having select grant user
will able to view the records.

7) execute insert statement to  add a record :  since role1 is not having insert privileges
and user has set current role to only role1 he would not able to insert the records.

8) now run the command set role and set the role to role2

9) execute insert statement to  add a record :  since role2 is having insert privileges
and user has set current role to only role2 he would able to insert the records.

10) execute sql statement to select the records :  since role2 is not having select permissions,
user will  not able to view the records.

 


> Hive SET Role command in Ranger hive plugin
> -------------------------------------------
>
>                 Key: RANGER-2763
>                 URL: https://issues.apache.org/jira/browse/RANGER-2763
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Pradeep Agrawal
>            Assignee: Pradeep Agrawal
>            Priority: Major
>         Attachments: 0001-RANGER-2763-Hive-SET-Role-command-in-Ranger-hive-plu.patch
>
>
> [https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization#SQLStandardBasedHiveAuthorization-UsersandRoles]
> In the above mentioned link there is a "SET Role" command which seems not implemented
yet in Ranger hive plugin 
> [https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L104]
>  
> If Ranger Hive plugin is enabled then execution of "set role" throws method not implemented
exception probably due to :
> [https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java#L155]
>  
> Expected behavior after the patch :
> Without Ranger ACL Use case :
> 1) create two roles let say role1 and role2
> 2) create one table table1 and insert a record.
> 3) grant select on the table1 to role1 and insert on the table1 to role2
> 4) create user testuser1 and give both role1 and role2 to user testuser1
> 5) login from user testuser1 and set role to role1 by using set role command
> 6) execute sql statement to select the records :  since role1 is having select grant
user will able to view the records.
> 7) execute insert statement to  add a record :  since role1 is not having insert privileges
and user has set current role to only role1 he would not able to insert the records.
> 8) now run the command set role and set the role to role2
> 9) execute insert statement to  add a record :  since role2 is having insert privileges
and user has set current role to only role2 he would able to insert the records.
> 10) execute sql statement to select the records :  since role2 is not having select
permissions, user will  not able to view the records.
> 11) logout and login again from same user and execute show current role command , both
role should be displayed. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message