----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72429/#review220495 -----------------------------------------------------------
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java Lines 127 (patched) <https://reviews.apache.org/r/72429/#comment308947> The user can pick only one role to the current-role, right? If user doesn't specify any, then all roles assigned to the user (and user's groups) will be used to authorize the access. So, I suggest to consider replacing: private List<String> currentRoles; with: private String useRole; In addition, it will be necessary to update policy evaluation to only use the role specified in 'setRole()' to perform authorization. Please review and update. - Madhan Neethiraj On April 24, 2020, 2:17 p.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72429/ > ----------------------------------------------------------- > > (Updated April 24, 2020, 2:17 p.m.) > > > Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, > Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan > Neethiraj, Mehul Parikh, Nitin Galave, Nixon Rodrigues, Ramesh Mani, Sailaja > Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2763 > https://issues.apache.org/jira/browse/RANGER-2763 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Hive SET Role command is not supported in Ranger hive > plugin > Error message : setCurrentRole() not implemented in Ranger > AbstractHiveAuthorizer > > **Proposed Solution:** Added implementation as per > https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520 > > However user's role list will not be fetched from Hivemetastore, rather it > will be fetched from Ranger admin. > > Note: command "set role" may not generate any audit logs as of now. I could > not test the same as i dont have environment. > > > Diffs > ----- > > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java > a6f74b95e > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java > c752489ef > > > Diff: https://reviews.apache.org/r/72429/diff/1/ > > > Testing > ------- > > With patch: > 1) Added two roles in ranger admin "admin" and "public" and added hive user > in that. > 2) logged in from hive user in hive cli and executed command "show current > roles" > 3) output received "public" > 4) executed command "set role admin" and command was executed successfully > 5) executed command "show current roles" > 6) output received "admin" > 7) executed command "show roles" > 8) command failed to execute as "hive" is not an admin in Ranger and only > user having "admin" role is ranger-admin can execute that. > > > Thanks, > > Pradeep Agrawal > >
