Repository: incubator-ranger Updated Branches: refs/heads/master 7bc2f89e2 -> 23c7b1148
RANGER-1100: Hive authorizer does not block update when row-filter/column-mask is specified on the table for the user Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/23c7b114 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/23c7b114 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/23c7b114 Branch: refs/heads/master Commit: 23c7b1148533275dffb37853b49a6ebdb8126a7e Parents: 7bc2f89 Author: Madhan Neethiraj <[email protected]> Authored: Wed Jul 13 17:05:32 2016 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Jul 14 00:40:06 2016 -0700 ---------------------------------------------------------------------- .../hive/authorizer/RangerHiveAuthorizer.java | 77 ++++++++++++-------- 1 file changed, 46 insertions(+), 31 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/23c7b114/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 69fa293..6ef58b0 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -352,49 +352,56 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { for(RangerAccessResult colResult : colResults) { result = colResult; - if(!result.getIsAllowed()) { + if(result != null && !result.getIsAllowed()) { break; } } } } else { result = hivePlugin.isAccessAllowed(request, auditHandler); + } - if(result != null && result.getIsAllowed() && blockAccessIfRowfilterColumnMaskSpecified(hiveOpType, request.getHiveAccessType())) { - // check if row-filtering or column-masking is applicable for the table/view being accessed - RangerHiveResource res = (RangerHiveResource)request.getResource(); + if((result == null || result.getIsAllowed()) && isBlockAccessIfRowfilterColumnMaskSpecified(hiveOpType, request)) { + // check if row-filtering is applicable for the table/view being accessed + HiveAccessType savedAccessType = request.getHiveAccessType(); + RangerHiveResource tblResource = new RangerHiveResource(HiveObjectType.TABLE, resource.getDatabase(), resource.getTable()); - if(res.getObjectType() == HiveObjectType.TABLE || res.getObjectType() == HiveObjectType.VIEW) { - HiveAccessType savedAccessType = request.getHiveAccessType(); + request.setHiveAccessType(HiveAccessType.SELECT); // filtering/masking policies are defined only for SELECT + request.setResource(tblResource); - request.setHiveAccessType(HiveAccessType.SELECT); // filtering/masking policies are defined only for SELECT + RangerRowFilterResult rowFilterResult = getRowFilterResult(request); - RangerRowFilterResult rowFilterResult = getRowFilterResult(request); + if (isRowFilterEnabled(rowFilterResult)) { + if(result == null) { + result = new RangerAccessResult(rowFilterResult.getServiceName(), rowFilterResult.getServiceDef(), request); + } - if (isRowFilterEnabled(rowFilterResult)) { - result.setIsAllowed(false); - result.setPolicyId(rowFilterResult.getPolicyId()); - result.setReason("User does not have acces to all rows of the table"); - } else { - // check if masking is enabled for any column in the table/view - request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS); + result.setIsAllowed(false); + result.setPolicyId(rowFilterResult.getPolicyId()); + result.setReason("User does not have acces to all rows of the table"); + } else { + // check if masking is enabled for any column in the table/view + request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS); - RangerDataMaskResult dataMaskResult = getDataMaskResult(request); + RangerDataMaskResult dataMaskResult = getDataMaskResult(request); - if (isDataMaskEnabled(dataMaskResult)) { - result.setIsAllowed(false); - result.setPolicyId(dataMaskResult.getPolicyId()); - result.setReason("User does not have acces to unmasked column values"); - } + if (isDataMaskEnabled(dataMaskResult)) { + if(result == null) { + result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request); } - request.setHiveAccessType(savedAccessType); - - if(! result.getIsAllowed()) { - auditHandler.processResult(result); - } + result.setIsAllowed(false); + result.setPolicyId(dataMaskResult.getPolicyId()); + result.setReason("User does not have acces to unmasked column values"); } } + + request.setHiveAccessType(savedAccessType); + request.setResource(resource); + + if(result != null && !result.getIsAllowed()) { + auditHandler.processResult(result); + } } if(result != null && !result.getIsAllowed()) { @@ -1210,15 +1217,23 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return requestedResources; } - private boolean blockAccessIfRowfilterColumnMaskSpecified(HiveOperationType hiveOpType, HiveAccessType accessType) { - boolean ret = hiveOpType == HiveOperationType.EXPORT; + private boolean isBlockAccessIfRowfilterColumnMaskSpecified(HiveOperationType hiveOpType, RangerHiveAccessRequest request) { + boolean ret = false; + RangerHiveResource resource = (RangerHiveResource)request.getResource(); + HiveObjectType objType = resource.getObjectType(); + + if(objType == HiveObjectType.TABLE || objType == HiveObjectType.VIEW || objType == HiveObjectType.COLUMN) { + ret = hiveOpType == HiveOperationType.EXPORT; - if(! ret && accessType == HiveAccessType.UPDATE && hivePlugin.BlockUpdateIfRowfilterColumnMaskSpecified) { - ret = true; + if(!ret) { + if (request.getHiveAccessType() == HiveAccessType.UPDATE && hivePlugin.BlockUpdateIfRowfilterColumnMaskSpecified) { + ret = true; + } + } } if(LOG.isDebugEnabled()) { - LOG.debug("blockAccessIfRowfilterColumnMaskSpecified(" + hiveOpType + ", " + accessType + "): " + ret); + LOG.debug("isBlockAccessIfRowfilterColumnMaskSpecified(" + hiveOpType + ", " + request + "): " + ret); } return ret;
