Re: Review Request 72647: RANGER-2896: show grant not display grant_time in hive plugin

Mon, 06 Jul 2020 08:06:08 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72647/#review221134
-----------------------------------------------------------



Intrepretting policy create time as grant time is not correct. For example: 
multiple grants for the same database/table will update the same policy. Each 
grant could have been performed at different days/times. However, with the 
approach suggested in this patch, grant time for all will be shown the same - 
which is incorrect. I suggest to retain the current behavior (of showing 0 as 
the grant time), and claim that grant-time is unsupported with Ranger 
authorizer (instead of showing incorrect timestamps).

- Madhan Neethiraj


On July 6, 2020, 6:53 a.m., Jiayi Liu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72647/
> -----------------------------------------------------------
> 
> (Updated July 6, 2020, 6:53 a.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-2896
>     https://issues.apache.org/jira/browse/RANGER-2896
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> show grant can not display grant_time, because RANGER-836 pruned the content 
> of policy download.
> 
> When using show grant, grant_time will always be 0.
> 
> ```bash
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> | database  | table  | partition  | column  | principal_name  | 
> principal_type  | privilege  | grant_option  | grant_time  | grantor  |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> | default   | *      | []         | []      | hadoop          | USER          
>   | ALTER      | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | CREATE     | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | DROP       | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | INDEX      | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | LOCK       | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | READ       | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | SELECT     | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | UPDATE     | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | WRITE      | true          | 0           | ranger   |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> ```
> 
> In RangerHiveAuthorizer.createHivePrivilegeInfo function, it gets 
> creationDate from policy.getCreateTime().
> 
> ```java
> if (accessTypes.contains(aclName.toLowerCase()) && 
> (users.contains(hivePrincipal.getName()) || 
> groups.contains(hivePrincipal.getName()))) {
>     creationDate = (policy.getCreateTime() == null) ? creationDate : (int) 
> (policy.getCreateTime().getTime()/1000);
>     delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : 
> policyItem.getDelegateAdmin().booleanValue();
> }
> ```
> 
> 
> Diffs
> -----
> 
>   
> security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
>  a09a35295 
> 
> 
> Diff: https://reviews.apache.org/r/72647/diff/1/
> 
> 
> Testing
> -------
> 
> show grant can display grant_time.
> ```bash
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
> | database  | table  | partition  | column  | principal_name  | 
> principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
> | default   | *      | []         | []      | hadoop          | USER          
>   | ALTER      | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | CREATE     | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | DROP       | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | INDEX      | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | LOCK       | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | READ       | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | SELECT     | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | UPDATE     | true          | 1594004452000  | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | WRITE      | true          | 1594004452000  | ranger   |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
> ```
> 
> 
> Thanks,
> 
> Jiayi Liu
> 
>

Reply via email to