> On July 31, 2017, 2:12 p.m., Colm O hEigeartaigh wrote: > > I'm wondering what the expected output of "show grant user X" is? I would > > have expected to see the privileges that correspond to policies created in > > the Ranger admin service, but this is not the case. If the output is > > nothing to do with Ranger policies, then I'm wondering what the use-case is > > here for supporting this functionality with the Ranger authorizer? > > pengjianhua wrote: > The hive plugin effected the hive function after used the hive plugin. > Lots of programs have used "show grant user" command before used hive plugin > of Ranger. They can run succefully. Now these programs run fail after the > user used hive plugin. The issue resolved this problem. Details are as > following. > 1. Execute the 'show grant user' succefully in hive when user doesn't use > ranger hive plugin. > 2. Execute the 'show grant user' fail in hive when user uses ranger hive > plugin. > The conclusion is that the hive command run fail after used hive plugin > of ranger. All application programs using this command executed fail after > the user used hive plugin of ranger. This issue affected the hive's functions > which are ok if user doesn't use our hive plugin. > > Colm O hEigeartaigh wrote: > What I'm wondering is what the purpose of "show user grant" is though, > once we are using the Ranger authorizer? If we are enabling Ranger to secure > Hive, then what purpose do the Hive privileges serve? The privileges won't be > enforced as the Ranger policies will be enforced instead? > > pengjianhua wrote: > I'm sorry. My description Misleaded with you. The patch would fix new > Defects reported by Coverity Scan for Apache Ranger. Thanks a lots. > > Colm O hEigeartaigh wrote: > Yes I understand that, but I am questioning what this new feature that > was committed actually means in the context of Ranger authorization.... > > pengjianhua wrote: > Ok. I understand your mean now. I modify the issue to a bug. There will > be more modification if we add it to the context of Ranger authorization. New > issues may be introduced if I add it to the context of Ranger authorization. > We fix this bug first, how is it? Then I will work with our hive engineers > to further analyze how to add it to the context of Ranger authorization. And > I will commit the function to Ranger after we analyse, develop and carefully > test. Thanks.
Ok sounds good. It would be great if you would take a look at the patch that was submitted for Hive Metadata with Ranger, it might link in with that...(RANGER-1247) - Colm ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/61202/#review181803 ----------------------------------------------------------- On Aug. 2, 2017, 6:59 a.m., pengjianhua wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/61202/ > ----------------------------------------------------------- > > (Updated Aug. 2, 2017, 6:59 a.m.) > > > Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, and Qiang > Zhang. > > > Bugs: RANGER-1669 > https://issues.apache.org/jira/browse/RANGER-1669 > > > Repository: ranger > > > Description > ------- > > ** CID 166074: Null pointer dereferences (NULL_RETURNS) > > /hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java: > 1474 in > org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.showPrivileges(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal, > > org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)() > > > > ________________________________________________________________________________________________________ > *** CID 166074: Null pointer dereferences (NULL_RETURNS) > > /hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java: > 1474 in > org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.showPrivileges(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal, > > org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)() > 1468 .getType()); > 1469 > 1470 List<HiveObjectPrivilege> msObjPrivs = > mClient.list_privileges( > 1471 principalName, principalType, > 1472 this.getThriftHiveObjectRef(privObj)); > 1473 > >>> CID 166074: Null pointer dereferences (NULL_RETURNS) > >>> Calling a method on null object "msObjPrivs". > 1474 for (HiveObjectPrivilege msObjPriv : msObjPrivs) { > 1475 HivePrincipal resPrincipal = new HivePrincipal( > 1476 msObjPriv.getPrincipalName(), > 1477 > AuthorizationUtils.getHivePrincipalType(msObjPriv > 1478 .getPrincipalType())); > 1479 > > ** CID 166073: FindBugs: Bad practice (FB.DMI_RANDOM_USED_ONLY_ONCE) > > /hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java: > 601 in org.apache.ranger.authorization.hadoop.RangerHdfsPlugin.init()() > > > > ________________________________________________________________________________________________________ > *** CID 166073: FindBugs: Bad practice (FB.DMI_RANDOM_USED_ONLY_ONCE) > > /hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java: > 601 in org.apache.ranger.authorization.hadoop.RangerHdfsPlugin.init()() > 595 RangerHdfsPlugin.hadoopAuthEnabled = > RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_PROP, > RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_DEFAULT); > 596 RangerHdfsPlugin.fileNameExtensionSeparator = > RangerConfiguration.getInstance().get(RangerHdfsAuthorizer.RANGER_FILENAME_EXTENSION_SEPARATOR_PROP, > RangerHdfsAuthorizer.DEFAULT_FILENAME_EXTENSION_SEPARATOR); > 597 RangerHdfsPlugin.optimizeSubAccessAuthEnabled = > RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_PROP, > RangerHadoopConstants.RANGER_OPTIMIZE_SUBACCESS_AUTHORIZATION_DEFAULT); > 598 > 599 // Build random string of random length > 600 byte[] bytes = new byte[1]; > >>> CID 166073: FindBugs: Bad practice > (FB.DMI_RANDOM_USED_ONLY_ONCE) > >>> Random object created and used only once. > 601 new Random().nextBytes(bytes); > 602 int count = bytes[0]; > 603 count = count < 56 ? 56 : count; > 604 count = count > 112 ? 112 : count; > 605 > 606 String random = RandomStringUtils.random(count, > "^&#@!%()-_+=@:;'<>`~abcdefghijklmnopqrstuvwxyz01234567890"); > > > Diffs > ----- > > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java > 6872e50 > > hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java > 011d2c3 > > > Diff: https://reviews.apache.org/r/61202/diff/2/ > > > Testing > ------- > > tested it > > > Thanks, > > pengjianhua > >
