[
https://issues.apache.org/jira/browse/RANGER-2754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17104891#comment-17104891
]
t oo commented on RANGER-2754:
------------------------------
332 prestosql release's
[https://github.com/prestosql/presto/commit/0039dd8b2922df2c2ce57ccd337c357e5136bc3f]
seems to have broken column masking (tried MASK_SHOW_LAST_4):
io.prestosql.spi.PrestoException: line 1:16: Invalid column mask for
'hive.meta.presto_queries.username': Access Denied: Cannot execute function
regexp_replace
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.analyzeColumnMask(StatementAnalyzer.java:2537)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.lambda$analyzeFiltersAndMasks$13(StatementAnalyzer.java:1073)
at com.google.common.collect.ImmutableList.forEach(ImmutableList.java:405)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.analyzeFiltersAndMasks(StatementAnalyzer.java:1073)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.visitTable(StatementAnalyzer.java:1057)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.visitTable(StatementAnalyzer.java:300)
at io.prestosql.sql.tree.Table.accept(Table.java:53)
at io.prestosql.sql.tree.AstVisitor.process(AstVisitor.java:27)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.process(StatementAnalyzer.java:315)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.analyzeFrom(StatementAnalyzer.java:2307)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.visitQuerySpecification(StatementAnalyzer.java:1257)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.visitQuerySpecification(StatementAnalyzer.java:300)
at io.prestosql.sql.tree.QuerySpecification.accept(QuerySpecification.java:144)
at io.prestosql.sql.tree.AstVisitor.process(AstVisitor.java:27)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.process(StatementAnalyzer.java:315)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.process(StatementAnalyzer.java:325)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.visitQuery(StatementAnalyzer.java:910)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.visitQuery(StatementAnalyzer.java:300)
at io.prestosql.sql.tree.Query.accept(Query.java:107)
at io.prestosql.sql.tree.AstVisitor.process(AstVisitor.java:27)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.process(StatementAnalyzer.java:315)
at
io.prestosql.sql.analyzer.StatementAnalyzer.analyze(StatementAnalyzer.java:292)
at io.prestosql.sql.analyzer.Analyzer.analyze(Analyzer.java:83)
at io.prestosql.sql.analyzer.Analyzer.analyze(Analyzer.java:75)
at io.prestosql.execution.SqlQueryExecution.analyze(SqlQueryExecution.java:217)
at io.prestosql.execution.SqlQueryExecution.<init>(SqlQueryExecution.java:176)
at io.prestosql.execution.SqlQueryExecution.<init>(SqlQueryExecution.java:93)
at
io.prestosql.execution.SqlQueryExecution$SqlQueryExecutionFactory.createQueryExecution(SqlQueryExecution.java:705)
at
io.prestosql.dispatcher.LocalDispatchQueryFactory.lambda$createDispatchQuery$0(LocalDispatchQueryFactory.java:121)
at
io.prestosql.$gen.Presto_014fffb_dirty__333____20200511_183941_2.call(Unknown
Source)
at
com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:125)
at
com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:69)
at
com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:78)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: io.prestosql.spi.PrestoException: line 1:6: Access Denied: Cannot
execute function regexp_replace
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.visitFunctionCall(ExpressionAnalyzer.java:930)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.visitFunctionCall(ExpressionAnalyzer.java:327)
at io.prestosql.sql.tree.FunctionCall.accept(FunctionCall.java:110)
at
io.prestosql.sql.tree.StackableAstVisitor.process(StackableAstVisitor.java:27)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.process(ExpressionAnalyzer.java:350)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.visitCast(ExpressionAnalyzer.java:1147)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.visitCast(ExpressionAnalyzer.java:327)
at io.prestosql.sql.tree.Cast.accept(Cast.java:91)
at
io.prestosql.sql.tree.StackableAstVisitor.process(StackableAstVisitor.java:27)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.process(ExpressionAnalyzer.java:350)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer.analyze(ExpressionAnalyzer.java:288)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer.analyzeExpression(ExpressionAnalyzer.java:1601)
at
io.prestosql.sql.analyzer.StatementAnalyzer$Visitor.analyzeColumnMask(StatementAnalyzer.java:2525)
... 35 more
Caused by: io.prestosql.spi.security.AccessDeniedException: Access Denied:
Cannot execute function regexp_replace
at
io.prestosql.spi.security.AccessDeniedException.denyExecuteFunction(AccessDeniedException.java:436)
at
io.prestosql.spi.security.SystemAccessControl.checkCanExecuteFunction(SystemAccessControl.java:491)
at
io.prestosql.security.AccessControlManager.lambda$checkCanExecuteFunction$68(AccessControlManager.java:802)
at
io.prestosql.security.AccessControlManager.systemAuthorizationCheck(AccessControlManager.java:889)
at
io.prestosql.security.AccessControlManager.checkCanExecuteFunction(AccessControlManager.java:802)
at
io.prestosql.security.ForwardingAccessControl.checkCanExecuteFunction(ForwardingAccessControl.java:339)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.visitFunctionCall(ExpressionAnalyzer.java:970)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.visitFunctionCall(ExpressionAnalyzer.java:327)
at io.prestosql.sql.tree.FunctionCall.accept(FunctionCall.java:110)
at
io.prestosql.sql.tree.StackableAstVisitor.process(StackableAstVisitor.java:27)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.process(ExpressionAnalyzer.java:350)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.getCallArgumentTypes(ExpressionAnalyzer.java:1012)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.visitFunctionCall(ExpressionAnalyzer.java:914)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.visitFunctionCall(ExpressionAnalyzer.java:327)
at io.prestosql.sql.tree.FunctionCall.accept(FunctionCall.java:110)
at
io.prestosql.sql.tree.StackableAstVisitor.process(StackableAstVisitor.java:27)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.process(ExpressionAnalyzer.java:350)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.visitLambdaExpression(ExpressionAnalyzer.java:1317)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.visitLambdaExpression(ExpressionAnalyzer.java:327)
at io.prestosql.sql.tree.LambdaExpression.accept(LambdaExpression.java:60)
at
io.prestosql.sql.tree.StackableAstVisitor.process(StackableAstVisitor.java:27)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.process(ExpressionAnalyzer.java:350)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer.analyze(ExpressionAnalyzer.java:294)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer.access$2200(ExpressionAnalyzer.java:174)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.lambda$getCallArgumentTypes$2(ExpressionAnalyzer.java:1008)
at
io.prestosql.sql.analyzer.TypeSignatureProvider.getTypeSignature(TypeSignatureProvider.java:60)
at
io.prestosql.metadata.SignatureBinder$FunctionSolver.update(SignatureBinder.java:791)
at
io.prestosql.metadata.SignatureBinder.iterativeSolve(SignatureBinder.java:417)
at
io.prestosql.metadata.SignatureBinder.bindVariables(SignatureBinder.java:124)
at io.prestosql.metadata.SignatureBinder.bind(SignatureBinder.java:101)
at
io.prestosql.metadata.FunctionResolver.identifyApplicableFunctions(FunctionResolver.java:181)
at
io.prestosql.metadata.FunctionResolver.matchFunction(FunctionResolver.java:151)
at
io.prestosql.metadata.FunctionResolver.matchFunctionExact(FunctionResolver.java:141)
at
io.prestosql.metadata.FunctionResolver.resolveFunction(FunctionResolver.java:103)
at
io.prestosql.metadata.MetadataManager.lambda$resolveFunction$24(MetadataManager.java:1411)
at java.base/java.util.Optional.orElseGet(Unknown Source)
at
io.prestosql.metadata.MetadataManager.resolveFunction(MetadataManager.java:1411)
at
io.prestosql.sql.analyzer.ExpressionAnalyzer$Visitor.visitFunctionCall(ExpressionAnalyzer.java:918)
... 47 more
> Update presto dependency and implement row/column level security
> ----------------------------------------------------------------
>
> Key: RANGER-2754
> URL: https://issues.apache.org/jira/browse/RANGER-2754
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Affects Versions: master
> Reporter: Bolke de Bruin
> Assignee: Bolke de Bruin
> Priority: Major
> Fix For: 2.1.0
>
> Attachments:
> 0001-RANGER-2754-Upgrade-presto-dependency-and-improve-lo.patch,
> 0001-RANGER-2754-Upgrade-presto-dependency-and-improve-lo.patch,
> 0001-RANGER-2754-Upgrade-presto-dependency-and-improve-lo.patch,
> 0001-RANGER-2754-Upgrade-presto-dependency-and-improve-lo.patch,
> 0001-RANGER-2754-Upgrade-presto-dependency-and-improve-lo.patch,
> 0001-RANGER-2754-Upgrade-presto-dependency-and-improve-lo.patch,
> 0001-RANGER-2754-Upgrade-presto-dependency-and-improve-lo.patch,
> 0001-RANGER-2754-Upgrade-presto-dependency-and-improve-lo.patch,
> 0001-RANGER-2754-Upgrade-presto-dependency-and-improve-lo.patch,
> RANGER-2754-v2.patch, RANGER-2754.patch
>
>
> 1. PrestoSql has changed its Security API hence the Ranger plugin has stopped
> working for versions > ~321.
> 2. Presto master now has row/column level security support
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
