Review Request 72429: RANGER-2763: Hive SET Role command in Ranger hive plugin

Fri, 24 Apr 2020 07:17:39 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72429/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Nitin Galave, Nixon Rodrigues, Ramesh Mani, Sailaja Polavarapu, 
and Velmurugan Periasamy.


Bugs: RANGER-2763
    https://issues.apache.org/jira/browse/RANGER-2763


Repository: ranger


Description
-------

**Problem Statement:** Hive SET Role command is not supported in Ranger hive 
plugin
Error message : setCurrentRole() not implemented in Ranger 
AbstractHiveAuthorizer

**Proposed Solution:** Added implementation as per 
https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520

However user's role list will not be fetched from Hivemetastore, rather it will 
be fetched from Ranger admin.

Note: command "set role" may not generate any audit logs as of now. I could not 
test the same as i dont have environment.


Diffs
-----

  
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
 a6f74b95e 
  
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
 c752489ef 


Diff: https://reviews.apache.org/r/72429/diff/1/


Testing
-------

With patch:
1) Added two roles in ranger admin "admin" and "public" and added hive user in 
that. 
2) logged in from hive user in hive cli and executed command "show current 
roles"
3) output received "public"
4) executed command "set role admin" and command was executed successfully
5) executed command "show current roles"
6) output received "admin"
7) executed command "show roles"
8) command failed to execute as "hive" is not an admin in Ranger and only user 
having "admin" role is ranger-admin can execute that.


Thanks,

Pradeep Agrawal

Reply via email to