[
https://issues.apache.org/jira/browse/RANGER-3142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17274345#comment-17274345
]
sooyeon shin edited comment on RANGER-3142 at 1/29/21, 11:21 AM:
-----------------------------------------------------------------
Hi [~anchal.agarwal], Thanks for your feedback.
Actually, what I mean is no2. (And I have created a batch job to synchronize
policies, users and roles via Rest API.)
But I think no1 works too.
I tested similarly with Ranger v2.1.0, Trino(Prestosql) 344.
Add 'public' group and add 'user' user to it,
!image-2021-01-29-19-53-59-145.png|width=798,height=55!
!image-2021-01-29-19-54-02-248.png|width=799,height=55!
Add 'role-hive-allow-read' and 'role-hive-disallow-read' roles, and add
'public' group only to 'role-hive-allow-read'.
!image-2021-01-29-19-54-28-329.png|width=799,height=120!
Add policies with roles.
!image-2021-01-29-19-54-50-303.png|width=649,height=408!
!image-2021-01-29-19-55-01-685.png|width=784,height=145!
Now run the query on each table.
!image-2021-01-29-19-59-42-929.png|width=767,height=221!
Here is the audit log.
!image-2021-01-29-20-00-54-796.png|width=842,height=321!
In this case, the policy is applied.
I'm not sure if there is any other problem.
was (Author: comma337):
Hi [~anchal.agarwal], Thanks for your feedback.
Actually, what I mean is no2. (And I have created a batch job to synchronize
policies, users and roles via Rest API.)
But I think no1 works too.
Which version do you use?
I tested similarly with Ranger v2.1.0, Trino(Prestosql) 344.
Add 'public' group and add 'user' user to it,
!image-2021-01-29-19-53-59-145.png|width=798,height=55!
!image-2021-01-29-19-54-02-248.png|width=799,height=55!
Add 'role-hive-allow-read' and 'role-hive-disallow-read' roles, and add
'public' group only to 'role-hive-allow-read'.
!image-2021-01-29-19-54-28-329.png|width=799,height=120!
Add policies with roles.
!image-2021-01-29-19-54-50-303.png|width=649,height=408!
!image-2021-01-29-19-55-01-685.png|width=784,height=145!
Now run the query on each table.
!image-2021-01-29-19-59-42-929.png|width=767,height=221!
Here is the audit log.
!image-2021-01-29-20-00-54-796.png|width=842,height=321!
In this case, the policy is applied.
I'm not sure if there is any other problem.
> Access control based on groups not working for presto plugin
> -------------------------------------------------------------
>
> Key: RANGER-3142
> URL: https://issues.apache.org/jira/browse/RANGER-3142
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.1.0
> Environment: ranger-2.1.0-presto-plugin.tar.gz
> presto-server-347.tar.gz
> Reporter: Anchal Agarwal
> Assignee: Pradeep Agrawal
> Priority: Major
> Attachments: image-2021-01-29-19-53-59-145.png,
> image-2021-01-29-19-54-02-248.png, image-2021-01-29-19-54-28-329.png,
> image-2021-01-29-19-54-50-303.png, image-2021-01-29-19-55-01-685.png,
> image-2021-01-29-19-59-42-929.png, image-2021-01-29-20-00-54-796.png
>
>
> I'm using ranger-2.1.0 for access control in prestosql-347.
> A policy with user list in 'allow conditions' works i.e. if I connect to
> presto with a user in the allowed list, my query returns the expected results.
> But instead of users, if I use group in the policy and try accessing presto
> with a user belonging to that group, then I'm denied access.
> {code:java}
> %presto
> show tables in default
> Query failed (#20210106_032741_00000_dddsy): Access Denied: Cannot access
> catalog hive
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
