Re: Review Request 71899: RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin

[Ramesh Mani]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71899/
-----------------------------------------------------------

(Updated Jan. 27, 2021, 9:19 p.m.)


Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja 
Polavarapu, and Velmurugan Periasamy.


Changes
-------

Fixed review comments and revised patch to introduced configuration parameter 
"service admins" to authorize show role calls.


Bugs: RANGER-2640
    https://issues.apache.org/jira/browse/RANGER-2640


Repository: ranger


Description
-------

RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
 7b34f77da 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 71f8daeb5 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 4e0c98e9e 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
 81b1971a8 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 fda57f947 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java 
0268e2f30 
  
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
 5bd5c2da4 
  
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
 e06f1357f 


Diff: https://reviews.apache.org/r/71899/diff/2/

Changes: https://reviews.apache.org/r/71899/diff/1-2/


Testing (updated)
-------

- Verified in Local VM.
- Show Role Grant <user|group|role> <principal> implementation. 
- Revised that patch to handle the ROLE fetch from plugin instead of getting it 
from Ranger admin via rest.
- Introduced service configuration "ranger.plugin.service.admins" to maintain 
list of service admin who can run "show role"commands in hive.
- Introduced api isServiceAdmin() in RangerBasePlugin to check if the user is 
service admin. This will enable other plugins to use similar service admin 
check for any ROLE based command authorization check.


Thanks,

Ramesh Mani