[jira] [Commented] (RANGER-3142) Access control based on groups not working for presto plugin

Mon, 14 Feb 2022 01:34:20 -0800 


    [ 
https://issues.apache.org/jira/browse/RANGER-3142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17491889#comment-17491889
 ] 

Tarek Abouzeid commented on RANGER-3142:
----------------------------------------

Hi,

 

This wont be solved from Apache Ranger, this requires Trino/Presto Group 
provider plugin, which fetches the associated LDAP groups with particular LDAP 
user.

You can check this from the developers documentation. [Group provider — Trino 
370 Documentation|https://trino.io/docs/current/develop/group-provider.html]

We have used this project [arghya18/trino-group-provider-ldap-ad: Trino Group 
Provider LDAP is a Trino (formerly Presto SQL) plugin to map user names to 
groups using an LDAP server 
(github.com)|https://github.com/arghya18/trino-group-provider-ldap-ad] for the 
group provider plugin.

 

Best Regards, 

> Access control based on groups not working for presto plugin 
> -------------------------------------------------------------
>
>                 Key: RANGER-3142
>                 URL: https://issues.apache.org/jira/browse/RANGER-3142
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.1.0
>         Environment: ranger-2.1.0-presto-plugin.tar.gz
> presto-server-347.tar.gz
>            Reporter: Anchal Agarwal
>            Priority: Major
>         Attachments: image-2021-01-29-19-53-59-145.png, 
> image-2021-01-29-19-54-02-248.png, image-2021-01-29-19-54-28-329.png, 
> image-2021-01-29-19-54-50-303.png, image-2021-01-29-19-55-01-685.png, 
> image-2021-01-29-19-59-42-929.png, image-2021-01-29-20-00-54-796.png
>
>
> I'm using ranger-2.1.0 for access control in prestosql-347.
> A policy with user list in 'allow conditions' works i.e. if I connect to 
> presto with a user in the allowed list, my query returns the expected results.
> But instead of users, if I use group in the policy and try accessing presto 
> with a user belonging to that group, then I'm denied access.
> {code:java}
> %presto
> show tables in default
> Query failed (#20210106_032741_00000_dddsy): Access Denied: Cannot access 
> catalog hive
> {code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to