> On 七月 6, 2020, 3:05 p.m., Madhan Neethiraj wrote: > > Intrepretting policy create time as grant time is not correct. For example: > > multiple grants for the same database/table will update the same policy. > > Each grant could have been performed at different days/times. However, with > > the approach suggested in this patch, grant time for all will be shown the > > same - which is incorrect. I suggest to retain the current behavior (of > > showing 0 as the grant time), and claim that grant-time is unsupported with > > Ranger authorizer (instead of showing incorrect timestamps).
I think you are right, I will close this review. - Jiayi ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72647/#review221134 ----------------------------------------------------------- On 七月 6, 2020, 6:53 a.m., Jiayi Liu wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72647/ > ----------------------------------------------------------- > > (Updated 七月 6, 2020, 6:53 a.m.) > > > Review request for ranger and Madhan Neethiraj. > > > Bugs: RANGER-2896 > https://issues.apache.org/jira/browse/RANGER-2896 > > > Repository: ranger > > > Description > ------- > > show grant can not display grant_time, because RANGER-836 pruned the content > of policy download. > > When using show grant, grant_time will always be 0. > > ```bash > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+ > | database | table | partition | column | principal_name | > principal_type | privilege | grant_option | grant_time | grantor | > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+ > | default | * | [] | [] | hadoop | USER > | ALTER | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | CREATE | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | DROP | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | INDEX | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | LOCK | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | READ | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | SELECT | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | UPDATE | true | 0 | ranger | > | default | * | [] | [] | hadoop | USER > | WRITE | true | 0 | ranger | > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+ > ``` > > In RangerHiveAuthorizer.createHivePrivilegeInfo function, it gets > creationDate from policy.getCreateTime(). > > ```java > if (accessTypes.contains(aclName.toLowerCase()) && > (users.contains(hivePrincipal.getName()) || > groups.contains(hivePrincipal.getName()))) { > creationDate = (policy.getCreateTime() == null) ? creationDate : (int) > (policy.getCreateTime().getTime()/1000); > delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : > policyItem.getDelegateAdmin().booleanValue(); > } > ``` > > > Diffs > ----- > > > security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java > a09a35295 > > > Diff: https://reviews.apache.org/r/72647/diff/1/ > > > Testing > ------- > > show grant can display grant_time. > ```bash > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ > | database | table | partition | column | principal_name | > principal_type | privilege | grant_option | grant_time | grantor | > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ > | default | * | [] | [] | hadoop | USER > | ALTER | true | 1594004452000 | ranger | > | default | * | [] | [] | hadoop | USER > | CREATE | true | 1594004452000 | ranger | > | default | * | [] | [] | hadoop | USER > | DROP | true | 1594004452000 | ranger | > | default | * | [] | [] | hadoop | USER > | INDEX | true | 1594004452000 | ranger | > | default | * | [] | [] | hadoop | USER > | LOCK | true | 1594004452000 | ranger | > | default | * | [] | [] | hadoop | USER > | READ | true | 1594004452000 | ranger | > | default | * | [] | [] | hadoop | USER > | SELECT | true | 1594004452000 | ranger | > | default | * | [] | [] | hadoop | USER > | UPDATE | true | 1594004452000 | ranger | > | default | * | [] | [] | hadoop | USER > | WRITE | true | 1594004452000 | ranger | > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ > ``` > > > Thanks, > > Jiayi Liu > >
