Re: Review Request 71296: RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based on resource owners

Ramesh Mani Thu, 15 Aug 2019 23:11:41 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71296/
-----------------------------------------------------------


(Updated Aug. 16, 2019, 6:10 a.m.)


Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, 
Thejas Nair, and Velmurugan Periasamy.


Changes
-------

RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based 
on resource owners


Bugs: RANGER-2536
    https://issues.apache.org/jira/browse/RANGER-2536


Repository: ranger


Description
-------

RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based 
on resource owners


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
 2795906 
  agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json 
7408cbc 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 d1e0c23 
  
agents-common/src/test/resources/policyengine/test_policyengine_hive_default_policies.json
 PRE-CREATION 
  
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
 7c3e3ab 
  pom.xml 13d5a5b 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java af74daf 


Diff: https://reviews.apache.org/r/71296/diff/2/

Changes: https://reviews.apache.org/r/71296/diff/1-2/


Testing
-------

USED default policies:
"policies":[
  {"id":1,"name":"database=*,table=*,column=* - 
audit-all-access","isEnabled":true,"isAuditEnabled":true,
   
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
   "policyItems":[
     {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
   ]
  }
  ,
  {"id":2,"name":"database=* - allow anyone to create database; grant owner all 
access ","isEnabled":true,"isAuditEnabled":true,
    "resources":{"database":{"values":["*"]}},
    "policyItems":[
      
{"accesses":[{"type":"create","isAllowed":true}],"groups":["public"],"delegateAdmin":false},
      
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
    ]
  },
  {"id":3,"name":"database=*,table=* - allow owner all access to 
table","isEnabled":true,"isAuditEnabled":true,
    "resources":{"database":{"values":["*"]},"table":{"values":["*"]}},
    "policyItems":[
      
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
    ]
  },
  {"id":4,"name":"database=*;table=*;column=* - allow owner all access to 
column","isEnabled":true,"isAuditEnabled":true,
    
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
    "policyItems":[
      
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
    ]
  }
],

TEST DONE:

AS user ranger:

create database rangerdb;                              => should pass ( because 
of public create policy)
create table ranger_table (id int, name string);   => should fail as not owner 
for rangerdb;
select * from ranger_table;

AS user impala:

use rangerdb;                                                       => should 
pass ( because of public create policy)
create table impala_table(id int, name string)  => should fail as not owner for 
rangerdb;

create database impaladb;
use impaladb;
create table impala_table(id int, name string)  => should pass as a owner

give select  access for rangerdb / table *  for impala user
use imapaladb;
create view test1_v as select * from ranger1.test1;     => should pass as a 
owner
select * from test1_v  => should pass as owner

remove the policy for impala user for rangerdb / table *
use imapaladb;
create view test1_v as select * from ranger1.test1;     => should fail as 
impala user don’t have select access to table ranger1.test1.

AS user ranger:

use impaladb;
select * from test1_v  => should fail as impala is the owner.

use rangerdb;
drop able ranger_table => should pass as owner.

create database / udf policy for owner.

CREATE temporary function aes_encrypt_custom1 AS 
'org.apache.hadoop.hive.ql.udf.generic.GenericUDFAesEncrypt' USING JAR  
'hdfs:///apps/hive/share/udfs/hive-exec-3.1.0.3.0.0.0-1634.jar';

=> should pass as OWNER

create table impala_t1(id int, name string);
insert into table impala_t1 values (1,'SAM’);
=> this should pass for OWNER.


Thanks,

Ramesh Mani

Re: Review Request 71296: RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based on resource owners

Reply via email to