-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61108/
-----------------------------------------------------------
Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O
hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan
Neethiraj, and Velmurugan Periasamy.
Bugs: RANGER-1712
https://issues.apache.org/jira/browse/RANGER-1712
Repository: ranger
Description
-------
The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
segment 1:
if (isDataMaskEnabled(dataMaskResult)) {
if(result == null)
{ result = new RangerAccessResult(dataMaskResult.getServiceName(),
dataMaskResult.getServiceDef(), request); }
result.setIsAllowed(false); //set false
result.setPolicyId(dataMaskResult.getPolicyId());
result.setReason("User does not have acces to unmasked column values");
}
segment 2:
if(result == null || !result.getIsAllowed())
{ //result.getIsAllowed() must equal to false. So the logic is error. The
program logic will always go to the following code segment. String path =
resource.getAsString(); path = (path == null) ? "Unknown resource!!" :
buildPathForException(path, hiveOpType); throw new
HiveAccessControlException(String.format("Permission denied: user [%s] does not
have [%s] privilege on [%s]", user, request.getHiveAccessType().name(), path));
}
The error reason is as following:
The result.setIsAllowed(false) was call in segment 1. So The
result.getIsAllowed() must equal to false. This is a error.
1.Scenarios
create database cust;
use cust;
create table customer(id int,name_first string,name_last string,addr_country
string, data_of_birth date, phone_num string)ROW FORMAT DELIMITED
FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;
insert into customer
values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');
Result:insert sucess
1):First create hive Access policy users:mr have acess to all privilege to
database(cust) and table(customer) and columns; (see Acess.png in detail)
insert into customer values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
Result:insert sucess
2)Second create Masking policy on cust.customer.name_first (see Masking.png in
detail)
insert into customer values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
Result: Error: Error while compiling statement: FAILED:
HiveAccessControlException Permission denied: user [glc] does not have [UPDATE]
privilege on [cust/customer] (state=42000,code=40000)
3.Solution:
Modify RangerHiveAuthorizer.java
change from "result.setIsAllowed(false);
result.setPolicyId(dataMaskResult.getPolicyId());
result.setReason("User does not have acces to unmasked column values");"
to
"result.setIsAllowed(dataMaskResult.getIsAllowed());
result.setPolicyId(dataMaskResult.getPolicyId());
if(!dataMaskResult.getIsAllowed())
{ result.setReason("User does not have acces to unmasked column values"); }
"
Diffs
-----
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
56ef187
Diff: https://reviews.apache.org/r/61108/diff/1/
Testing
-------
Tested it!
Thanks,
Qiang Zhang
