[jira] [Comment Edited] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource

Mon, 25 Jul 2022 14:26:06 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17571099#comment-17571099
 ] 

Madhan Neethiraj edited comment on RANGER-3839 at 7/25/22 9:25 PM:
-------------------------------------------------------------------

[[email protected]]  - commands {{{}SHOW DATABASES{}}}, {{USE 
_<databaseName>_}} and {{SHOW TABLES}} don't require any additional policies to 
be setup. These commands look if user has _any_ permission on the accessed 
database/table or a sub-resource in its hierarchy (i.e., tables or columns).

I verified the following with Hive plugin from master branch:
 # Login as user=hive in beeline and execute following statements to create 
table hr.employee:
 ** {{create database hr;}}
 ** {{create table hr.employee(id int, name string, ssn string, address 
string);}}
 # Login as user=user1 in beeline and execute statement {{use hr;}}  This 
results in following error, as the user doesn't have access to any resource 
within database=hr.

 * 
 ** {{Error: Error while compiling statement: FAILED: 
HiveAccessControlException Permission denied: user [user1] does not have [USE] 
privilege on [hr] (state=42000,code=40000)}}

 # Now add tag PII on column hr.employee.ssn, with the following:
{
    "op":             "add_or_update",
    "serviceName":    "dev_hive",
     "tagDefinitions": \{ "0": { "name": "PII" } },
     "tags":           \{ "0":{ "type": "PII" } },
     "serviceResources": [
       {
         "id":          0,
         "serviceName": "dev_hive",
         "resourceElements": {
           "database":   \{ "values": [ "hr" ] }
           "table":   \{ "values": [ "employee" ] }
           "column":   \{ "values": [ "ssn" ] }
       }
    ],
    "resourceToTagIds": \{ "0": [ "0" ] }
}
 # Create a tag-based policy for tag=PII to allow {{hive:select}} access to 
user1
 # Now execute following commands as user1:
 ** {{show databases;}} hr database is included in returned list
 ** {{use hr;}} - the command succeeds.
 ** {{show tables;}} employee table is included in returned list

 

Please verify your usecase with above details. I see couple of missing 
details/issues in the example detailed in this Jira description. 
 # missing: association of tag=RESTRICTED on column=employee.personal.city. 
Please make sure that the tag is associated with the column.
 # Policy for tag=RESTRICTED is show to have id=1, but audit log has 
policyId=101. Is the access allowed by a different policy?


was (Author: madhan.neethiraj):
[[email protected]]  - commands {{{}SHOW DATABASES{}}}, {{USE 
_<databaseName>_}} and {{SHOW TABLES}} don't require any additional policies to 
be setup. These commands look if user has _any_ permission on the accessed 
database/table or a sub-resource in its hierarchy (i.e., tables or columns).

I verified the following with Hive plugin from master branch:
 # Login as user=hive in beeline and execute following statements to create 
table hr.employee:
 ** {{create database hr;}}
 ** {{create table hr.employee(id int, name string, ssn string, address 
string);}}
 # Login as user=user1 in beeline and execute statement {{use hr;}}  This 
results in following error, as the user doesn't have access to any resource 
within database=hr.

 ** {{Error: Error while compiling statement: FAILED: 
HiveAccessControlException Permission denied: user [user1] does not have [USE] 
privilege on [hr] (state=42000,code=40000)}}
 # Now add tag PII on column hr.employee.ssn, with the following:
{{{}}
{{  "op":             "add_or_update",}}
{{  "serviceName":    "dev_hive",}}
{{  "tagDefinitions": \{ "0": { "name": "PII" } },}}
{{  "tags":           \{ "0": { "type": "PII" } },}}
{{  "serviceResources": [}}
{{    {
      "id":          0,
      "serviceName": "dev_hive",
      "resourceElements": {
        "database": \{ "values": [ "hr" ] },
        "table":    \{ "values": [ "employee" ] },
        "column":   \{ "values": [ "ssn" ] }
      }
    }}}
{{  ],}}
{{  "resourceToTagIds": \{ "0": [ "0" ] }}}
{{ }}}
 # Create a tag-based policy for tag=PII to allow {{hive:select}} access to 
user1
 # Now execute following commands as user1:
 ** {{show databases;}} hr database is included in returned list
 ** {{use hr;}} - the command succeeds.
 ** {{show tables;}} employee table is included in returned list

 

Please verify your usecase with above details. I see couple of missing 
details/issues in the example detailed in this Jira description. 
 # missing: association of tag=RESTRICTED on column=employee.personal.city. 
Please make sure that the tag is associated with the column.
 # Policy for tag=RESTRICTED is show to have id=1, but audit log has 
policyId=101. Is the access allowed by a different policy?

> Ranger Tag based policy with ability to show metadata for covered resource
> --------------------------------------------------------------------------
>
>                 Key: RANGER-3839
>                 URL: https://issues.apache.org/jira/browse/RANGER-3839
>             Project: Ranger
>          Issue Type: New Feature
>          Components: plugins
>            Reporter: Ramesh Bhanan Byndoor
>            Priority: Major
>
> Have a use case around this for trino and hive where user should be able to 
> see allowed parents along with child table
>  
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>  
> Resource 
>  
> {code:java}
> {
>      "serviceName": "cl1_hive",
>      "resourceElements": {
>          "database": {
>              "values": ["employee"]
>          },
>          "table": {
>              "values": ["personal"]
>          },
>          "column": {
>              "values": ["city"]
>          }
>      },
>      "id": 3,
>      "guid": "employee.personal.city-guid"
>  }
>  {code}
> Policy
> {code:java}
> {
>      "id": 1,
>      "name": "RESTRICTED_TAG_POLICY",
>      "isEnabled": true,
>      "isAuditEnabled": true,
>      "resources": {
>          "tag": {
>              "values": ["RESTRICTED"],
>              "isRecursive": false
>          }
>      },
>      "policyItems": [{
>          "accesses": [{
>              "type": "hive:select",
>              "isAllowed": true
>          }],
>          "users": ["hive", "user1"],
>          "groups": [],
>          "delegateAdmin": false,
>          "conditions": [{
>              "type": "expression",
>              "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
>          }]
>      }]
>  }{code}
> The test below is working as expected
> {code:java}
> {
>     "name": "ALLOW 'select city from employee.personal;' for user1 using 
> RESTRICTED tag",
>     "request": {
>         "resource": {
>             "elements": {
>                 "database": "employee",
>                 "table": "personal",
>                 "column": "city"
>             }
>         },
>         "accessType": "select",
>         "user": "user1",
>         "userGroups": [],
>         "requestData": "select city from employee.personal;' for user1"
>     },
>     "result": {
>         "isAudited": true,
>         "isAllowed": true,
>         "policyId": 101
>     }
> }{code}
> The expectation is how to allow? (without {color:#FF0000}allowing access 
> anything apart from this{color})
> {*}show databases{*};— with results *employee*
> *use employee;*
> *show tables; –* with results *personal* 
>  
> Please suggest possible ways to solve this/policy creation. 
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to