----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71296/ -----------------------------------------------------------
(Updated Aug. 16, 2019, 6:10 a.m.) Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, Thejas Nair, and Velmurugan Periasamy. Changes ------- RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based on resource owners Bugs: RANGER-2536 https://issues.apache.org/jira/browse/RANGER-2536 Repository: ranger Description ------- RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based on resource owners Diffs (updated) ----- agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java 2795906 agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json 7408cbc agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java d1e0c23 agents-common/src/test/resources/policyengine/test_policyengine_hive_default_policies.json PRE-CREATION hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 7c3e3ab pom.xml 13d5a5b security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java af74daf Diff: https://reviews.apache.org/r/71296/diff/2/ Changes: https://reviews.apache.org/r/71296/diff/1-2/ Testing ------- USED default policies: "policies":[ {"id":1,"name":"database=*,table=*,column=* - audit-all-access","isEnabled":true,"isAuditEnabled":true, "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, "policyItems":[ {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} ] } , {"id":2,"name":"database=* - allow anyone to create database; grant owner all access ","isEnabled":true,"isAuditEnabled":true, "resources":{"database":{"values":["*"]}}, "policyItems":[ {"accesses":[{"type":"create","isAllowed":true}],"groups":["public"],"delegateAdmin":false}, {"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false} ] }, {"id":3,"name":"database=*,table=* - allow owner all access to table","isEnabled":true,"isAuditEnabled":true, "resources":{"database":{"values":["*"]},"table":{"values":["*"]}}, "policyItems":[ {"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false} ] }, {"id":4,"name":"database=*;table=*;column=* - allow owner all access to column","isEnabled":true,"isAuditEnabled":true, "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, "policyItems":[ {"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false} ] } ], TEST DONE: AS user ranger: create database rangerdb; => should pass ( because of public create policy) create table ranger_table (id int, name string); => should fail as not owner for rangerdb; select * from ranger_table; AS user impala: use rangerdb; => should pass ( because of public create policy) create table impala_table(id int, name string) => should fail as not owner for rangerdb; create database impaladb; use impaladb; create table impala_table(id int, name string) => should pass as a owner give select access for rangerdb / table * for impala user use imapaladb; create view test1_v as select * from ranger1.test1; => should pass as a owner select * from test1_v => should pass as owner remove the policy for impala user for rangerdb / table * use imapaladb; create view test1_v as select * from ranger1.test1; => should fail as impala user don’t have select access to table ranger1.test1. AS user ranger: use impaladb; select * from test1_v => should fail as impala is the owner. use rangerdb; drop able ranger_table => should pass as owner. create database / udf policy for owner. CREATE temporary function aes_encrypt_custom1 AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFAesEncrypt' USING JAR 'hdfs:///apps/hive/share/udfs/hive-exec-3.1.0.3.0.0.0-1634.jar'; => should pass as OWNER create table impala_t1(id int, name string); insert into table impala_t1 values (1,'SAM’); => this should pass for OWNER. Thanks, Ramesh Mani