Re: Review Request 71296: RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based on resource owners

Thu, 15 Aug 2019 22:07:12 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71296/#review217234
-----------------------------------------------------------


Fix it, then Ship it!





hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 1256 (patched)
<https://reviews.apache.org/r/71296/#comment304513>

    inputs/outputs could be null (see line #502 #542 above. Please review and 
update to handle this condition.



hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 1258 (patched)
<https://reviews.apache.org/r/71296/#comment304514>

    Consider replacing equals() with equalsIgnoreCase() - in line #1258 and 
#1265.


- Madhan Neethiraj


On Aug. 16, 2019, 1:24 a.m., Ramesh Mani wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71296/
> -----------------------------------------------------------
> 
> (Updated Aug. 16, 2019, 1:24 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
> Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, 
> Thejas Nair, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2536
>     https://issues.apache.org/jira/browse/RANGER-2536
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based 
> on resource owners
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
>  2795906 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json 
> 7408cbc 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  d1e0c23 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_hive_default_policies.json
>  PRE-CREATION 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  7c3e3ab 
>   pom.xml 13d5a5b 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> af74daf 
> 
> 
> Diff: https://reviews.apache.org/r/71296/diff/1/
> 
> 
> Testing
> -------
> 
> USED default policies:
> "policies":[
>   {"id":1,"name":"database=*,table=*,column=* - 
> audit-all-access","isEnabled":true,"isAuditEnabled":true,
>    
> "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
>    "policyItems":[
>      {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
>    ]
>   }
>   ,
>   {"id":2,"name":"database=* - allow anyone to create database; grant owner 
> all access ","isEnabled":true,"isAuditEnabled":true,
>     "resources":{"database":{"values":["*"]}},
>     "policyItems":[
>       
> {"accesses":[{"type":"create","isAllowed":true}],"groups":["public"],"delegateAdmin":false},
>       
> {"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
>     ]
>   },
>   {"id":3,"name":"database=*,table=* - allow owner all access to 
> table","isEnabled":true,"isAuditEnabled":true,
>     "resources":{"database":{"values":["*"]},"table":{"values":["*"]}},
>     "policyItems":[
>       
> {"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
>     ]
>   },
>   {"id":4,"name":"database=*;table=*;column=* - allow owner all access to 
> column","isEnabled":true,"isAuditEnabled":true,
>     
> "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
>     "policyItems":[
>       
> {"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
>     ]
>   }
> ],
> 
> TEST DONE:
> 
> AS user ranger:
> 
> create database rangerdb;                            => should pass ( because 
> of public create policy)
> create table ranger_table (id int, name string);   => should fail as not 
> owner for rangerdb;
> select * from ranger_table;
> 
> AS user impala:
> 
> use rangerdb;                                                     => should 
> pass ( because of public create policy)
> create table impala_table(id int, name string)  => should fail as not owner 
> for rangerdb;
> 
> create database impaladb;
> use impaladb;
> create table impala_table(id int, name string)  => should pass as a owner
> 
> give select  access for rangerdb / table *  for impala user
> use imapaladb;
> create view test1_v as select * from ranger1.test1;   => should pass as a 
> owner
> select * from test1_v  => should pass as owner
> 
> remove the policy for impala user for rangerdb / table *
> use imapaladb;
> create view test1_v as select * from ranger1.test1;   => should fail as 
> impala user don’t have select access to table ranger1.test1.
> 
> AS user ranger:
> 
> use impaladb;
> select * from test1_v  => should fail as impala is the owner.
> 
> use rangerdb;
> drop able ranger_table => should pass as owner.
> 
> create database / udf policy for owner.
> 
> CREATE temporary function aes_encrypt_custom1 AS 
> 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFAesEncrypt' USING JAR  
> 'hdfs:///apps/hive/share/udfs/hive-exec-3.1.0.3.0.0.0-1634.jar';
> 
> => should pass as OWNER
> 
> create table impala_t1(id int, name string);
> insert into table impala_t1 values (1,'SAM’);
> => this should pass for OWNER.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

Reply via email to