> On 七月 3, 2020, 5:06 p.m., Madhan Neethiraj wrote: > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java > > Line 2551 (original), 2551 (patched) > > <https://reviews.apache.org/r/72642/diff/1/?file=2235348#file2235348line2551> > > > > Please review if #2391 needs be updated to handle 'objectName==null', > > similar to #2551. > > 2391: hivePrivilegeObject = new HivePrivilegeObject(objectType, > > dbName, objectName); > > Jiayi Liu wrote: > I think that in #2391, we do not need to consider the case of > objectName==null. Here, hivePrivilegeObject is to obtain the ACL > corresponding to the Resource. objectName == null will not affect the result > of obtaining the ACL. If objectName == null, dbName != null, it will > correctly obtain the ACL of dbName, we set objectName to * but it will affect > the correctness of the result, because the name of no table is *. > > Setting objectName to * at #2551 is just for display. The privilegeObject > at #2551 is only used to create a new HivePrivilegeInfo, and the role of > HivePrivilegeInfo is only to display the result of ACL. > > Jiayi Liu wrote: > If we don’t set objectName to *, it’s OK, but the table column in the > result list will be empty, which looks a bit strange. But it is also > reasonable, what do you think? > > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+ > | database | table | partition | column | principal_name | > principal_type | privilege | grant_option | grant_time | grantor | > > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+ > | default | | [] | [] | hadoop | USER > | ALTER | true | 0 | ranger | > | default | | [] | [] | hadoop | USER > | CREATE | true | 0 | ranger | > | default | | [] | [] | hadoop | USER > | DROP | true | 0 | ranger | > | default | | [] | [] | hadoop | USER > | INDEX | true | 0 | ranger | > | default | | [] | [] | hadoop | USER > | LOCK | true | 0 | ranger | > | default | | [] | [] | hadoop | USER > | READ | true | 0 | ranger | > | default | | [] | [] | hadoop | USER > | SELECT | true | 0 | ranger | > | default | | [] | [] | hadoop | USER > | UPDATE | true | 0 | ranger | > | default | | [] | [] | hadoop | USER > | WRITE | true | 0 | ranger | > | default | | [] | [] | hue | USER > | SELECT | false | 0 | ranger | > > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
I checked Hive SQL standard based authorization, when we show grant at the database level, the table column is also displayed as empty. In order to maintain consistency, I don't think it is necessary to modify the display content to "*" to represent all tables in the database. I removed the code to modify objectName, pls review it again. - Jiayi ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72642/#review221119 ----------------------------------------------------------- On 七月 6, 2020, 2:21 a.m., Jiayi Liu wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72642/ > ----------------------------------------------------------- > > (Updated 七月 6, 2020, 2:21 a.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep > Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2893 > https://issues.apache.org/jira/browse/RANGER-2893 > > > Repository: ranger > > > Description > ------- > > When we enable Ranger Hive plugin, show grant at the database level will > fail, and throw the exception "RangerHiveAuthorizer.showPrivileges() only > supports SHOW PRIVILEGES for Hive resources and not user level". Although we > are not showing grants at the user level, but at the database level. > > For example, > ```sql > show grant on database default; > ``` > and the exception, > ```bash > ERROR : FAILED: Execution Error, return code 1 from > org.apache.hadoop.hive.ql.exec.DDLTask. RangerHiveAuthorizer.showPrivileges() > error: RangerHiveAuthorizer.showPrivileges() only supports SHOW PRIVILEGES > for Hive resources and not user level > ``` > > The reason is that the parameter privObj.objectName passed to > RangerHiveAuthorizer.showPrivileges is null when show grant at the datatabase > level, and the exception "RangerHiveAuthorizer.showPrivileges() only supports > SHOW PRIVILEGES for Hive resources and not user level" will be thrown when > objectName is null. The function is normal when the type of privObj is TABLE, > because the dbName is the db name and the objectName is the table name. > > We should check whether the dbName is null instead of check the objectName. > We alse need to fix the objectName to "*" when it is null to represent all > tables in the db in HivePrivilegeInfo. > > > Diffs > ----- > > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java > c8761108b > > > Diff: https://reviews.apache.org/r/72642/diff/2/ > > > Testing > ------- > > show grant on database will correctly display privileges, and display '*' in > table column to represent all tables in a db. > ```bash > SHOW GRANT on database default; > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+ > | database | table | partition | column | principal_name | > principal_type | privilege | grant_option | grant_time | grantor | > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+ > | default | * | [] | [] | hadoop | USER > | ALTER | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | CREATE | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | DROP | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | INDEX | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | LOCK | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | READ | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | SELECT | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | UPDATE | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | WRITE | true | 0 | ranger | > | default | * | [] | [] | hue | USER > | SELECT | false | 0 | ranger | > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+ > ``` > > > Thanks, > > Jiayi Liu > >