-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71296/
-----------------------------------------------------------
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni,
Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu,
Thejas Nair, and Velmurugan Periasamy.
Bugs: RANGER-2536
https://issues.apache.org/jira/browse/RANGER-2536
Repository: ranger
Description
-------
RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based
on resource owners
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
2795906
agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json
7408cbc
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
d1e0c23
agents-common/src/test/resources/policyengine/test_policyengine_hive_default_policies.json
PRE-CREATION
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
7c3e3ab
pom.xml 13d5a5b
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java af74daf
Diff: https://reviews.apache.org/r/71296/diff/1/
Testing
-------
USED default policies:
"policies":[
{"id":1,"name":"database=*,table=*,column=* -
audit-all-access","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
]
}
,
{"id":2,"name":"database=* - allow anyone to create database; grant owner all
access ","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"create","isAllowed":true}],"groups":["public"],"delegateAdmin":false},
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
]
},
{"id":3,"name":"database=*,table=* - allow owner all access to
table","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
]
},
{"id":4,"name":"database=*;table=*;column=* - allow owner all access to
column","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
]
}
],
TEST DONE:
AS user ranger:
create database rangerdb; => should pass ( because
of public create policy)
create table ranger_table (id int, name string); => should fail as not owner
for rangerdb;
select * from ranger_table;
AS user impala:
use rangerdb; => should
pass ( because of public create policy)
create table impala_table(id int, name string) => should fail as not owner for
rangerdb;
create database impaladb;
use impaladb;
create table impala_table(id int, name string) => should pass as a owner
give select access for rangerdb / table * for impala user
use imapaladb;
create view test1_v as select * from ranger1.test1; => should pass as a
owner
select * from test1_v => should pass as owner
remove the policy for impala user for rangerdb / table *
use imapaladb;
create view test1_v as select * from ranger1.test1; => should fail as
impala user don’t have select access to table ranger1.test1.
AS user ranger:
use impaladb;
select * from test1_v => should fail as impala is the owner.
use rangerdb;
drop able ranger_table => should pass as owner.
create database / udf policy for owner.
CREATE temporary function aes_encrypt_custom1 AS
'org.apache.hadoop.hive.ql.udf.generic.GenericUDFAesEncrypt' USING JAR
'hdfs:///apps/hive/share/udfs/hive-exec-3.1.0.3.0.0.0-1634.jar';
=> should pass as OWNER
create table impala_t1(id int, name string);
insert into table impala_t1 values (1,'SAM’);
=> this should pass for OWNER.
Thanks,
Ramesh Mani
