[jira] [Updated] (RANGER-2097) Hive Agent "user [test] does not have [USE] privilege on [test]" no when deny policy enabled

Mon, 07 May 2018 06:30:28 -0700 

     [ 
https://issues.apache.org/jira/browse/RANGER-2097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

chuanjie.duan updated RANGER-2097:
----------------------------------
    Attachment: RANGER-2097.patch

> Hive Agent "user [test] does not have [USE] privilege on [test]" no when deny 
> policy enabled 
> ---------------------------------------------------------------------------------------------
>
>                 Key: RANGER-2097
>                 URL: https://issues.apache.org/jira/browse/RANGER-2097
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.6.3
>            Reporter: chuanjie.duan
>            Priority: Major
>         Attachments: RANGER-2097.patch
>
>
> Reproduce step:
> 1. Hive agent enable deny policy 
> "\{"enableDenyAndExceptionsInPolicies":"true"}" in ranger meta,
> 2. add policy "database:\{USER}, table:* column:* "
> 3. create user:test database:test in linux and hive
> 4. add deny policy "database:test, table:*, column:*, deny: \{group:public, 
> action:drop}"
> 5.beeline connect to hive and "use test"
> 6. user [test] does not have [USE] privilege on [test]
>  
> Cause:
> RangerHiveAuthorizer.checkPrivileges
> if (hiveOpType == HiveOperationType.SHOWDATABASES) {
>  RangerHiveResource resource = new 
> RangerHiveResource(HiveObjectType.DATABASE, null);
>  RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, 
> user, groups, hiveOpType.name(), HiveAccessType.*{color:#ff0000}USE{color}*, 
> context, sessionContext);
>  requests.add(request);
>  }
> RangerHiveAccessRequest.setHiveAccessType
> public void setHiveAccessType(HiveAccessType accessType) {
>  this.accessType = accessType;
> *{color:#ff0000}if(accessType == HiveAccessType.USE) {{color}*
>  *{color:#ff0000}this.setAccessType(RangerPolicyEngine.ANY_ACCESS);{color}*
>  else if(accessType == HiveAccessType.ADMIN)
> { this.setAccessType(RangerPolicyEngine.ADMIN_ACCESS); }
> else
> { this.setAccessType(accessType.name().toLowerCase()); }
> }
> RangerDefaultPolicyItemEvaluator.matchAccessType
> any type would always return true, so my deny policy matched.
> RangerDefaultPolicyItemEvaluator.evaluatePolicyItems would try denyEvaluators 
> first.
> So resource database matched test , user,group matched test, 
> "matchedPolicyItem.getPolicyItemType() == 
> RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY"
> Finally return deny, same as "show databases", "show databases" would try 
> "SHOWDATABASES" and "use \{database}" one by one.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to