[jira] [Commented] (RANGER-3142) Access control based on groups not working for presto plugin

Fri, 29 Jan 2021 03:21:04 -0800 


    [ 
https://issues.apache.org/jira/browse/RANGER-3142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17274345#comment-17274345
 ] 

sooyeon shin commented on RANGER-3142:
--------------------------------------

Hi [~anchal.agarwal], Thanks for your feedback.

Actually, what I mean is no2. (And I have created a batch job to synchronize 
policies, users and roles via Rest API.)
But I think no1 works too.

Which version do you use?
I tested similarly with Ranger v2.1.0, Trino(Prestosql) 344.

Add 'public' group and add 'user' user to it,

!image-2021-01-29-19-53-59-145.png|width=798,height=55!

!image-2021-01-29-19-54-02-248.png|width=799,height=55!

Add 'role-hive-allow-read' and 'role-hive-disallow-read' roles, and add 
'public' group only to 'role-hive-allow-read'.

!image-2021-01-29-19-54-28-329.png|width=799,height=120!

Add policies with roles.

!image-2021-01-29-19-54-50-303.png|width=649,height=408!

!image-2021-01-29-19-55-01-685.png|width=784,height=145!

Now run the query on each table.

!image-2021-01-29-19-59-42-929.png|width=767,height=221!

Here is the audit log.

!image-2021-01-29-20-00-54-796.png|width=842,height=321!

In this case, the policy is applied.

I'm not sure if there is any other problem.

> Access control based on groups not working for presto plugin 
> -------------------------------------------------------------
>
>                 Key: RANGER-3142
>                 URL: https://issues.apache.org/jira/browse/RANGER-3142
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.1.0
>         Environment: ranger-2.1.0-presto-plugin.tar.gz
> presto-server-347.tar.gz
>            Reporter: Anchal Agarwal
>            Assignee: Pradeep Agrawal
>            Priority: Major
>         Attachments: image-2021-01-29-19-53-59-145.png, 
> image-2021-01-29-19-54-02-248.png, image-2021-01-29-19-54-28-329.png, 
> image-2021-01-29-19-54-50-303.png, image-2021-01-29-19-55-01-685.png, 
> image-2021-01-29-19-59-42-929.png, image-2021-01-29-20-00-54-796.png
>
>
> I'm using ranger-2.1.0 for access control in prestosql-347.
> A policy with user list in 'allow conditions' works i.e. if I connect to 
> presto with a user in the allowed list, my query returns the expected results.
> But instead of users, if I use group in the policy and try accessing presto 
> with a user belonging to that group, then I'm denied access.
> {code:java}
> %presto
> show tables in default
> Query failed (#20210106_032741_00000_dddsy): Access Denied: Cannot access 
> catalog hive
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to