[jira] [Updated] (RANGER-2097) Hive Agent "user [test] does not have [USE] privilege on [test]" no when deny policy enabled

[chuanjie.duan (JIRA)]

     [ 
https://issues.apache.org/jira/browse/RANGER-2097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

chuanjie.duan updated RANGER-2097:
----------------------------------
    Description: 
Reproduce step:

1. Hive agent enable deny policy 
"\{"enableDenyAndExceptionsInPolicies":"true"}" in ranger meta,

2. add policy "database:\{USER}, table:* column:* "

3. create user:test database:test in linux and hive

4. add deny policy "database:test, table:*, column:*, deny: \{group:public, 
action:drop}"

5.beeline connect to hive and "use test"

6. user [test] does not have [USE] privilege on [test]

 

Cause:

RangerHiveAuthorizer.checkPrivileges

if (hiveOpType == HiveOperationType.SHOWDATABASES) {
 RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, 
null);
 RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, 
groups, hiveOpType.name(), HiveAccessType.*{color:#FF0000}USE{color}*, context, 
sessionContext);
 requests.add(request);
 }

RangerHiveAccessRequest.setHiveAccessType

public void setHiveAccessType(HiveAccessType accessType) {
 this.accessType = accessType;

*{color:#FF0000}if(accessType == HiveAccessType.USE) {{color}*
 *{color:#FF0000}this.setAccessType(RangerPolicyEngine.ANY_ACCESS);{color}*
 *{color:#FF0000}}{color}* else if(accessType == HiveAccessType.ADMIN) {
 this.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
 } else {
 this.setAccessType(accessType.name().toLowerCase());
 }
 }

RangerDefaultPolicyItemEvaluator.matchAccessType

any type would always return true, so my deny policy matched.

RangerDefaultPolicyItemEvaluator.evaluatePolicyItems would try denyEvaluators 
first.

So resource database matched test , user,group matched test, 
"matchedPolicyItem.getPolicyItemType() == 
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY"

Finally return deny

  was:
Reproduce step:

1. Hive agent enable deny policy 
"\{"enableDenyAndExceptionsInPolicies":"true"}" in ranger meta,

2. add policy "database:\{USER}, table:* column:* "

3. create user:test database:test in linux and hive

4. add deny policy "database:test, table:*, column:*, deny: \{group:public, 
action:drop}"

5.beeline connect to hive and "use test"

 


> Hive Agent "user [test] does not have [USE] privilege on [test]" no when deny 
> policy enabled 
> ---------------------------------------------------------------------------------------------
>
>                 Key: RANGER-2097
>                 URL: https://issues.apache.org/jira/browse/RANGER-2097
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.6.3
>            Reporter: chuanjie.duan
>            Priority: Major
>
> Reproduce step:
> 1. Hive agent enable deny policy 
> "\{"enableDenyAndExceptionsInPolicies":"true"}" in ranger meta,
> 2. add policy "database:\{USER}, table:* column:* "
> 3. create user:test database:test in linux and hive
> 4. add deny policy "database:test, table:*, column:*, deny: \{group:public, 
> action:drop}"
> 5.beeline connect to hive and "use test"
> 6. user [test] does not have [USE] privilege on [test]
>  
> Cause:
> RangerHiveAuthorizer.checkPrivileges
> if (hiveOpType == HiveOperationType.SHOWDATABASES) {
>  RangerHiveResource resource = new 
> RangerHiveResource(HiveObjectType.DATABASE, null);
>  RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, 
> user, groups, hiveOpType.name(), HiveAccessType.*{color:#FF0000}USE{color}*, 
> context, sessionContext);
>  requests.add(request);
>  }
> RangerHiveAccessRequest.setHiveAccessType
> public void setHiveAccessType(HiveAccessType accessType) {
>  this.accessType = accessType;
> *{color:#FF0000}if(accessType == HiveAccessType.USE) {{color}*
>  *{color:#FF0000}this.setAccessType(RangerPolicyEngine.ANY_ACCESS);{color}*
>  *{color:#FF0000}}{color}* else if(accessType == HiveAccessType.ADMIN) {
>  this.setAccessType(RangerPolicyEngine.ADMIN_ACCESS);
>  } else {
>  this.setAccessType(accessType.name().toLowerCase());
>  }
>  }
> RangerDefaultPolicyItemEvaluator.matchAccessType
> any type would always return true, so my deny policy matched.
> RangerDefaultPolicyItemEvaluator.evaluatePolicyItems would try denyEvaluators 
> first.
> So resource database matched test , user,group matched test, 
> "matchedPolicyItem.getPolicyItemType() == 
> RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY"
> Finally return deny



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)