[ https://issues.apache.org/jira/browse/RANGER-2097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
chuanjie.duan updated RANGER-2097: ---------------------------------- Description: Reproduce step: 1. Hive agent enable deny policy "\{"enableDenyAndExceptionsInPolicies":"true"}" in ranger meta, 2. add policy "database:\{USER}, table:* column:* " 3. create user:test database:test in linux and hive 4. add deny policy "database:test, table:*, column:*, deny: \{group:public, action:drop}" 5.beeline connect to hive and "use test" 6. user [test] does not have [USE] privilege on [test] Cause: RangerHiveAuthorizer.checkPrivileges if (hiveOpType == HiveOperationType.SHOWDATABASES) { RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null); RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.*{color:#ff0000}USE{color}*, context, sessionContext); requests.add(request); } RangerHiveAccessRequest.setHiveAccessType public void setHiveAccessType(HiveAccessType accessType) { this.accessType = accessType; *{color:#ff0000}if(accessType == HiveAccessType.USE) {{color}* *{color:#ff0000}this.setAccessType(RangerPolicyEngine.ANY_ACCESS);{color}* else if(accessType == HiveAccessType.ADMIN) { this.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); } else { this.setAccessType(accessType.name().toLowerCase()); } } RangerDefaultPolicyItemEvaluator.matchAccessType any type would always return true, so my deny policy matched. RangerDefaultPolicyItemEvaluator.evaluatePolicyItems would try denyEvaluators first. So resource database matched test , user,group matched test, "matchedPolicyItem.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY" Finally return deny was: Reproduce step: 1. Hive agent enable deny policy "\{"enableDenyAndExceptionsInPolicies":"true"}" in ranger meta, 2. add policy "database:\{USER}, table:* column:* " 3. create user:test database:test in linux and hive 4. add deny policy "database:test, table:*, column:*, deny: \{group:public, action:drop}" 5.beeline connect to hive and "use test" 6. user [test] does not have [USE] privilege on [test] Cause: RangerHiveAuthorizer.checkPrivileges if (hiveOpType == HiveOperationType.SHOWDATABASES) { RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null); RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.*{color:#ff0000}USE{color}*, context, sessionContext); requests.add(request); } RangerHiveAccessRequest.setHiveAccessType public void setHiveAccessType(HiveAccessType accessType) { this.accessType = accessType; *{color:#ff0000}if(accessType == HiveAccessType.USE) {{color}* *{color:#ff0000}this.setAccessType(RangerPolicyEngine.ANY_ACCESS);{color}* *{color:#FF0000}}* else if(accessType == HiveAccessType.ADMIN) { this.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); } else { this.setAccessType(accessType.name().toLowerCase()); } } RangerDefaultPolicyItemEvaluator.matchAccessType any type would always return true, so my deny policy matched. RangerDefaultPolicyItemEvaluator.evaluatePolicyItems would try denyEvaluators first. So resource database matched test , user,group matched test, "matchedPolicyItem.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY" Finally return deny > Hive Agent "user [test] does not have [USE] privilege on [test]" no when deny > policy enabled > --------------------------------------------------------------------------------------------- > > Key: RANGER-2097 > URL: https://issues.apache.org/jira/browse/RANGER-2097 > Project: Ranger > Issue Type: Bug > Components: plugins > Affects Versions: 0.6.3 > Reporter: chuanjie.duan > Priority: Major > > Reproduce step: > 1. Hive agent enable deny policy > "\{"enableDenyAndExceptionsInPolicies":"true"}" in ranger meta, > 2. add policy "database:\{USER}, table:* column:* " > 3. create user:test database:test in linux and hive > 4. add deny policy "database:test, table:*, column:*, deny: \{group:public, > action:drop}" > 5.beeline connect to hive and "use test" > 6. user [test] does not have [USE] privilege on [test] > > Cause: > RangerHiveAuthorizer.checkPrivileges > if (hiveOpType == HiveOperationType.SHOWDATABASES) { > RangerHiveResource resource = new > RangerHiveResource(HiveObjectType.DATABASE, null); > RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, > user, groups, hiveOpType.name(), HiveAccessType.*{color:#ff0000}USE{color}*, > context, sessionContext); > requests.add(request); > } > RangerHiveAccessRequest.setHiveAccessType > public void setHiveAccessType(HiveAccessType accessType) { > this.accessType = accessType; > *{color:#ff0000}if(accessType == HiveAccessType.USE) {{color}* > *{color:#ff0000}this.setAccessType(RangerPolicyEngine.ANY_ACCESS);{color}* > else if(accessType == HiveAccessType.ADMIN) > { this.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); } > else > { this.setAccessType(accessType.name().toLowerCase()); } > } > RangerDefaultPolicyItemEvaluator.matchAccessType > any type would always return true, so my deny policy matched. > RangerDefaultPolicyItemEvaluator.evaluatePolicyItems would try denyEvaluators > first. > So resource database matched test , user,group matched test, > "matchedPolicyItem.getPolicyItemType() == > RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY" > Finally return deny -- This message was sent by Atlassian JIRA (v7.6.3#76005)