Hi, While doing further tests in production the “isValidLeaf” is not working as we would expect it. Consider the following:
We would like to enable users to show all catalogs names (ie. SHOW CATALOGS), but not have access to the every underlying schemas (ie. you should not be able to do “SHOW SCHEMAS FROM random_catalog”). So we setup a policy that says: Presto catalog: * (Exclude) and set none to schema (using the isValidLeaf functionality). Allow conditions: select + use This works fine. Now we want to enable the user to access the Hive Catalog with a schema Finance, so we setup a additional policy that says: Prest catalog: “hive” (include), schema: finance (include), none for tables (again using the isValidLeaf functionality). Allow conditions: select + use This does *not* work. Access fails by an “access denied” to the catalog. How do we set this up correctly? Thanks Bolke On 17 April 2019 at 20:30:07, Bolke de Bruin ([email protected]) wrote: Hi abhay Can you please answer the question on the review board on how to set a policy on just a catalog (so not on the underlying schema) with isValidLeaf = true? Thx Bolke Verstuurd vanaf mijn iPad > Op 17 apr. 2019 om 00:51 heeft Abhay Kulkarni <[email protected]> het volgende geschreven: > > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70394/#review214705 > ----------------------------------------------------------- > > > > > agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json > Lines 146 (patched) > <https://reviews.apache.org/r/70394/#comment300924> > > '},' ==> '}' > > This will cause JSON error. Please remove the comma after curly brace. > > > - Abhay Kulkarni > > >> On April 16, 2019, 1:02 p.m., Bolke de Bruin wrote: >> >> ----------------------------------------------------------- >> This is an automatically generated e-mail. To reply, visit: >> https://reviews.apache.org/r/70394/ >> ----------------------------------------------------------- >> >> (Updated April 16, 2019, 1:02 p.m.) >> >> >> Review request for ranger and Abhay Kulkarni. >> >> >> Bugs: https://issues.apache.org/jira/browse/RANGER-2395 >> https://issues.apache.org/jira/browse/https://issues.apache.org/jira/browse/RANGER-2395 >> >> >> Repository: ranger >> >> >> Description >> ------- >> >> Presto Plugin for Ranger. >> >> >> Diffs >> ----- >> >> agents-common/scripts/enable-agent.sh b4194a736 >> agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java cbfd649c9 >> agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json PRE-CREATION >> plugin-presto/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION >> plugin-presto/conf/ranger-policymgr-ssl.xml PRE-CREATION >> plugin-presto/conf/ranger-presto-audit-changes.cfg PRE-CREATION >> plugin-presto/conf/ranger-presto-audit.xml PRE-CREATION >> plugin-presto/conf/ranger-presto-security-changes.cfg PRE-CREATION >> plugin-presto/conf/ranger-presto-security.xml PRE-CREATION >> plugin-presto/pom.xml PRE-CREATION >> plugin-presto/scripts/install.properties PRE-CREATION >> plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java PRE-CREATION >> plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java PRE-CREATION >> plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java PRE-CREATION >> plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoConnectionManager.java PRE-CREATION >> plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoResourceManager.java PRE-CREATION >> pom.xml 2a45f8b2d >> ranger-presto-plugin-shim/pom.xml PRE-CREATION >> ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/PrestoRangerPlugin.java PRE-CREATION >> ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerConfig.java PRE-CREATION >> ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java PRE-CREATION >> ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlFactory.java PRE-CREATION >> ranger-presto-plugin-shim/src/main/resources/META-INF/services/io.prestosql.spi.Plugin PRE-CREATION >> src/main/assembly/admin-web.xml 06ba8c4f0 >> src/main/assembly/plugin-presto.xml PRE-CREATION >> >> >> Diff: https://reviews.apache.org/r/70394/diff/5/ >> >> >> Testing >> ------- >> >> Tested in production. >> >> https://issues.apache.org/jira/browse/RANGER-2395 >> >> >> Thanks, >> >> Bolke de Bruin >> >> >
