[
https://issues.apache.org/jira/browse/RANGER-3142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17468378#comment-17468378
]
liuyanning commented on RANGER-3142:
------------------------------------
I had the same problem in prestosql-350 with open-ldap-2.4.44,but user、roles is
normal, So I also decided to use roles instead of groups.
So I also decided to use roles instead of groups?
{quote}2022-01-04T11:39:46.390+0800 DEBUG
Query-20220104_033946_00009_4p5vs-510 io.prestosql.security.AccessControl
Invocation of
checkCanSelectFromColumns(context=SecurityContext\{identity=Identity{user='lj-taiyuan-a',
groups=[], principal=lj-taiyuan-a, roles={}, extraCredentials=[]},
queryId=20220104_033946_00009_4p5vs}, tableName=hive.information_schema.tables,
columnNames=[table_schema, table_name]) took 738.60us and failed with
io.prestosql.spi.security.AccessDeniedException: Access Denied: Cannot access
catalog hive
2022-01-04T11:39:46.391+0800 DEBUG dispatcher-query-32
io.prestosql.execution.QueryStateMachine Query
20220104_033946_00009_4p5vs failed
io.prestosql.spi.security.AccessDeniedException: Access Denied: Cannot access
catalog hive
at
io.prestosql.spi.security.AccessDeniedException.denyCatalogAccess(AccessDeniedException.java:118)
at
io.prestosql.spi.security.AccessDeniedException.denyCatalogAccess(AccessDeniedException.java:113)
at
org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl.checkCanAccessCatalog(RangerSystemAccessControl.java:311)
at
org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl.checkCanAccessCatalog(RangerSystemAccessControl.java:89)
at
io.prestosql.security.AccessControlManager.checkCanAccessCatalog(AccessControlManager.java:1003)
at
io.prestosql.security.AccessControlManager.checkCanSelectFromColumns(AccessControlManager.java:792)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
io.prestosql.plugin.base.util.LoggingInvocationHandler.handleInvocation(LoggingInvocationHandler.java:60)
at
com.google.common.reflect.AbstractInvocationHandler.invoke(AbstractInvocationHandler.java:86)
at com.sun.proxy.$Proxy112.checkCanSelectFromColumns(Unknown Source)
at
io.prestosql.security.ForwardingAccessControl.checkCanSelectFromColumns(ForwardingAccessControl.java:320)
at io.prestosql.sql.analyzer.Analyzer.lambda$analyze$0(Analyzer.java:96)
at java.base/java.util.LinkedHashMap.forEach(LinkedHashMap.java:684)
at io.prestosql.sql.analyzer.Analyzer.lambda$analyze$1(Analyzer.java:95)
at java.base/java.util.LinkedHashMap.forEach(LinkedHashMap.java:684)
at io.prestosql.sql.analyzer.Analyzer.analyze(Analyzer.java:94)
at io.prestosql.sql.analyzer.Analyzer.analyze(Analyzer.java:83)
at
io.prestosql.execution.SqlQueryExecution.analyze(SqlQueryExecution.java:263)
at
io.prestosql.execution.SqlQueryExecution.<init>(SqlQueryExecution.java:186)
at
io.prestosql.execution.SqlQueryExecution$SqlQueryExecutionFactory.createQueryExecution(SqlQueryExecution.java:768)
at
io.prestosql.dispatcher.LocalDispatchQueryFactory.lambda$createDispatchQuery$0(LocalDispatchQueryFactory.java:129)
at io.prestosql.$gen.Presto_350____20220104_031629_2.call(Unknown
Source)
at
com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:125)
at
com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:69)
at
com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:78)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
2022-01-04T11:39:46.391+0800 DEBUG dispatcher-query-34
io.prestosql.execution.QueryStateMachine Query
20220104_033946_00009_4p5vs is FAILED
{quote}
> Access control based on groups not working for presto plugin
> -------------------------------------------------------------
>
> Key: RANGER-3142
> URL: https://issues.apache.org/jira/browse/RANGER-3142
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.1.0
> Environment: ranger-2.1.0-presto-plugin.tar.gz
> presto-server-347.tar.gz
> Reporter: Anchal Agarwal
> Priority: Major
> Attachments: image-2021-01-29-19-53-59-145.png,
> image-2021-01-29-19-54-02-248.png, image-2021-01-29-19-54-28-329.png,
> image-2021-01-29-19-54-50-303.png, image-2021-01-29-19-55-01-685.png,
> image-2021-01-29-19-59-42-929.png, image-2021-01-29-20-00-54-796.png
>
>
> I'm using ranger-2.1.0 for access control in prestosql-347.
> A policy with user list in 'allow conditions' works i.e. if I connect to
> presto with a user in the allowed list, my query returns the expected results.
> But instead of users, if I use group in the policy and try accessing presto
> with a user belonging to that group, then I'm denied access.
> {code:java}
> %presto
> show tables in default
> Query failed (#20210106_032741_00000_dddsy): Access Denied: Cannot access
> catalog hive
> {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
