[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17571099#comment-17571099
]
Madhan Neethiraj commented on RANGER-3839:
------------------------------------------
[[email protected]] - commands {{{}SHOW DATABASES{}}}, {{USE
_<databaseName>_}} and {{SHOW TABLES}} don't require any additional policies to
be setup. These commands look if user has _any_ permission on the accessed
database/table or a sub-resource in its hierarchy (i.e., tables or columns).
I verified the following with Hive plugin from master branch:
# Login as user=hive in beeline and execute following statements to create
table hr.employee:
** {{create database hr;}}
** {{create table hr.employee(id int, name string, ssn string, address
string);}}
# Login as user=user1 in beeline and execute statement {{use hr;}} This
results in following error, as the user doesn't have access to any resource
within database=hr.
** {{Error: Error while compiling statement: FAILED:
HiveAccessControlException Permission denied: user [user1] does not have [USE]
privilege on [hr] (state=42000,code=40000)}}
# Now add tag PII on column hr.employee.ssn, with the following:
{{{}}
{{ "op": "add_or_update",}}
{{ "serviceName": "dev_hive",}}
{{ "tagDefinitions": \{ "0": { "name": "PII" } },}}
{{ "tags": \{ "0": { "type": "PII" } },}}
{{ "serviceResources": [}}
{{ {
"id": 0,
"serviceName": "dev_hive",
"resourceElements": {
"database": \{ "values": [ "hr" ] },
"table": \{ "values": [ "employee" ] },
"column": \{ "values": [ "ssn" ] }
}
}}}
{{ ],}}
{{ "resourceToTagIds": \{ "0": [ "0" ] }}}
{{ }}}
# Create a tag-based policy for tag=PII to allow {{hive:select}} access to
user1
# Now execute following commands as user1:
** {{show databases;}} hr database is included in returned list
** {{use hr;}} - the command succeeds.
** {{show tables;}} employee table is included in returned list
Please verify your usecase with above details. I see couple of missing
details/issues in the example detailed in this Jira description.
# missing: association of tag=RESTRICTED on column=employee.personal.city.
Please make sure that the tag is associated with the column.
# Policy for tag=RESTRICTED is show to have id=1, but audit log has
policyId=101. Is the access allowed by a different policy?
> Ranger Tag based policy with ability to show metadata for covered resource
> --------------------------------------------------------------------------
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
> Reporter: Ramesh Bhanan Byndoor
> Priority: Major
>
> Have a use case around this for trino and hive where user should be able to
> see allowed parents along with child table
>
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>
> Resource
>
> {code:java}
> {
> "serviceName": "cl1_hive",
> "resourceElements": {
> "database": {
> "values": ["employee"]
> },
> "table": {
> "values": ["personal"]
> },
> "column": {
> "values": ["city"]
> }
> },
> "id": 3,
> "guid": "employee.personal.city-guid"
> }
> {code}
> Policy
> {code:java}
> {
> "id": 1,
> "name": "RESTRICTED_TAG_POLICY",
> "isEnabled": true,
> "isAuditEnabled": true,
> "resources": {
> "tag": {
> "values": ["RESTRICTED"],
> "isRecursive": false
> }
> },
> "policyItems": [{
> "accesses": [{
> "type": "hive:select",
> "isAllowed": true
> }],
> "users": ["hive", "user1"],
> "groups": [],
> "delegateAdmin": false,
> "conditions": [{
> "type": "expression",
> "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
> }]
> }]
> }{code}
> The test below is working as expected
> {code:java}
> {
> "name": "ALLOW 'select city from employee.personal;' for user1 using
> RESTRICTED tag",
> "request": {
> "resource": {
> "elements": {
> "database": "employee",
> "table": "personal",
> "column": "city"
> }
> },
> "accessType": "select",
> "user": "user1",
> "userGroups": [],
> "requestData": "select city from employee.personal;' for user1"
> },
> "result": {
> "isAudited": true,
> "isAllowed": true,
> "policyId": 101
> }
> }{code}
> The expectation is how to allow? (without {color:#FF0000}allowing access
> anything apart from this{color})
> {*}show databases{*};— with results *employee*
> *use employee;*
> *show tables; –* with results *personal*
>
> Please suggest possible ways to solve this/policy creation.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
