Re: Review Request 73300: RANGER-3252:Inconsistent behavior in Ranger Role authorization within same hive beeline session

Abhay Kulkarni Sun, 25 Apr 2021 17:17:15 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73300/#review222861
-----------------------------------------------------------





hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 2932 (patched)
<https://reviews.apache.org/r/73300/#comment312019>

    It is very expensive to get roles from Ranger for every Hive access. 
Instead, please consider modifying implementation of getCurrentRoles() as 
follows and call getCurrentRoles() as before instead of calling 
getCurrentRolesFromRanger().
    
        private Set<String> getCurrentRoles() {
    
                UserGroupInformation ugi = getCurrentUserGroupInfo();
                String                  user           = ugi.getShortUserName();
                Set<String>             groups         = 
Sets.newHashSet(ugi.getGroupNames());
                return 
hivePlugin.getCurrentRangerAuthContext().getRolesForUserAndGroups(user, groups);
    
        }



hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Line 2934 (original), 2955 (patched)
<https://reviews.apache.org/r/73300/#comment312020>

    Consider changing the log message to indicate the entry to the module here. 
Also consider misleading changing log message at line 2970.


- Abhay Kulkarni


On April 25, 2021, 10:14 p.m., Ramesh Mani wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73300/
> -----------------------------------------------------------
> 
> (Updated April 25, 2021, 10:14 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, 
> Mehul Parikh, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-3252
>     https://issues.apache.org/jira/browse/RANGER-3252
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RANGER-3252:Inconsistent behavior in Ranger Role authorization within same 
> hive beeline session
> 
> 
> Diffs
> -----
> 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  5bd5c2da4 
> 
> 
> Diff: https://reviews.apache.org/r/73300/diff/1/
> 
> 
> Testing
> -------
> 
> - Within the Same Hive Session when Roles are updated for inclusion and 
> exclusion of user/group/roles, authorization failed for those users/ groups 
> and roles and this patch takes care of it
> - verified by setting current role with "set role <rolename>" within the same 
> Hive session.
> - verified show roles and show current roles based on inclusion and exclusion 
> of user / groups and roles.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

Re: Review Request 73300: RANGER-3252:Inconsistent behavior in Ranger Role authorization within same hive beeline session

Reply via email to