[jira] [Commented] (RANGER-2664) filterListCmdObjects does not work in sql 'show databases'

Thu, 05 Dec 2019 18:29:23 -0800 


    [ 
https://issues.apache.org/jira/browse/RANGER-2664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989330#comment-16989330
 ] 

star commented on RANGER-2664:
------------------------------

 
{code:java}
For "Show database"  user just need any permission on Database to get 
authorized.
filterListCmdObjects should be filtering out the database which user don't have 
access to. This is the behavior. 
{code}
yes. But it is not working as expected. It can just filter all database or 
filter nothing at all.

 
{code:java}
Ranger has HMS plugin which will be used for filtering the metastore api 
calls.Are you referring to beeline HiveSever2 api calls or HMS api calls? In 
which version of Ranger you are verifying this?
{code}
We are  using beeline HiveServer2. What do you mean by HMS, Hive Meta Store ?

Digging into source code of Hive 1.2, it filter out database by 
MetaStoreFilterHook in HiveMetaStoreClient. When it is set as 
AuthorizationMetaStoreFilterHook, filterListCmdObjects of ranger hive plugin 
will be called.

For now, if we want to filter database, following steps needed. Suppose user 
name is 'dave'.
 # grant any privilege to dave on database '*'. (Required by checkPrivileges)
 # grant any privilege to dave on specific database 'db'. User don't have any 
explicit privilege to other databases. (Required by filterListCmdObjects)

We are expecting only database 'db' to be shown by 'show database'. However, as 
dave has any privilege on '*', he also has  any privilege on all databases. So 
all database will be shown by 'show database'.

 

> filterListCmdObjects does not work in sql 'show databases'
> ----------------------------------------------------------
>
>                 Key: RANGER-2664
>                 URL: https://issues.apache.org/jira/browse/RANGER-2664
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>            Reporter: star
>            Priority: Major
>         Attachments: ranger-2664.patch
>
>
> In hive plugin, when execute sql 'show databases', 
> privilege HiveAccessType.USE is required on database '*'.  If it is 
> authorized USE privilege, all database will be showed. If not, the sql will 
> be stuck when checking privilege.
> To solve the problem, just let the sql 'show databases' pass through when 
> METASTORE_FILTER_HOOK is set as AuthorizationMetaStoreFilterHook. Privilege 
> HiveAccessType.USE is not required on database '*'.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to