[jira] [Created] (RANGER-3193) create view as select is denied if the view and select table are in different schemas

Fri, 26 Feb 2021 23:37:05 -0800 

Harish Kumar M created RANGER-3193:
--------------------------------------

             Summary: create view as select is denied if the view and select 
table are in different schemas
                 Key: RANGER-3193
                 URL: https://issues.apache.org/jira/browse/RANGER-3193
             Project: Ranger
          Issue Type: Bug
          Components: plugins
    Affects Versions: 2.1.0
         Environment: Ranger 2.1.0, prestosql 350 
            Reporter: Harish Kumar M


create view as select is denied if the view and table are in different 
schema's(db's), though the identity has valid privilege to create view in view 
owned schema.

For example :-

CREATE VIEW db2.view1 AS SELECT col1,col2,col3 from db1.tbl1;

In the above statement, 
Presto plugin validated two major permission on the Identity.

1. check on identity to create view under SCHEMA db2 is valid in the method 
checkCanCreateView
2. check the identity to select columns col1,col2,col3 on the table tbl1 under 
schema db1 in the method checkCanCreateViewWithSelectFromColumns

Whereas in Ranger Presto Plugin, In the method 
checkCanCreateViewWithSelectFromColumns check is done on the identity to create 
view on schema db1 instead of check on select columns from table.

When i check the code RangerSystemAccessControl.java
{code:java}
  /**
   * This check equals the check for checkCanCreateView
   */
  @Override
  public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext 
context, CatalogSchemaTableName table, Set<String> columns) {
    try {
      checkCanCreateView(context, table);
    } catch (AccessDeniedException ade) {
      
LOG.debug("RangerSystemAccessControl.checkCanCreateViewWithSelectFromColumns(" 
+ table.getSchemaTableName().getTableName() + ") denied");
      
AccessDeniedException.denyCreateViewWithSelect(table.getSchemaTableName().getTableName(),
 context.getIdentity());
    }
  }
{code}
Ranger checks the identity to create view on selected table schema.

Due to this, In the below two scenarios identity is checked incorrectly.

Scenario 1 :-
Identity has the privilege to crate view in view owned schema and identity 
doesn't have privilege to create view in table owned schema. In this scenario, 
identity will be denied for the create view since the create view check is on 
both view and table owned schema.

Scenario 2 :-
identity has the privilege to select and create view, but doesn't have 
privilege to select table. In this scenario, identity still can create view and 
select view though identity doesn't have privilege to select table.

Please help to check this as this is latest Ranger versions.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to