[jira] [Updated] (RANGER-3921) User with DROP ACL on "db=dummy; table=; column=" can do drop table and database.

kirby zhou (Jira) Tue, 20 Sep 2022 05:47:04 -0700


     [ 
https://issues.apache.org/jira/browse/RANGER-3921?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


kirby zhou updated RANGER-3921:
-------------------------------
    Description: 
In agents-common/src/test/resources/policyengine/test_policyengine_hive.json,

we have hive policy:
{code:java}
{"id":8,"name":"db=dummy; table=*; 
column=*","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["dummy"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"create","isAllowed":true},{"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user1","user2"],"groups":[],"delegateAdmin":false}
],
"allowExceptions":[
{"accesses":[{"type":"create","isAllowed":true}, 
{"type":"update","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false},
{"accesses":[{"type":"create","isAllowed":true}, 
{"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false}
]
} {code}
According to the general understanding, this is given the permission of column 
level, rather than the permission of table level or database level.

 

But these 2 new test case can pass:
{code:java}
{"name":"ALLOW 'drop dummy/*;' for user1",
  "request":{
    "resource":{"elements":{"database":"dummy", "table": "dummy"}},
    
"accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop 
dummy/dummy for user1"
  },
  "result":{"isAudited":true,"isAllowed":true,"policyId":8}
}
,
{"name":"ALLOW 'drop dummy;' for user1",
  "request":{
    "resource":{"elements":{"database":"dummy"}},
    
"accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop 
dummy for user1"
  },
  "result":{"isAudited":true,"isAllowed":true,"policyId":8}
} ,
{"name":"ALLOW 'drop dummy/udf=dummy;' for user1",
  "request":{
    "resource":{"elements":{"database":"dummy", "udf":"dummy"}},
    
"accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop 
dummy for user1"
  },
  "result":{"isAudited":false,"isAllowed":true,"policyId":8}
} {code}
 

This doesn't seem reasonable. A user who can not drop UDF, but can drop whole 
database.

 

Or can someone tell me how to only give users column-level permissions without 
involving table or database?

 

 

 

 

 

 

  was:
In agents-common/src/test/resources/policyengine/test_policyengine_hive.json,

we have hive policy:
{code:java}
{"id":8,"name":"db=dummy; table=*; 
column=*","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["dummy"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"create","isAllowed":true},{"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user1","user2"],"groups":[],"delegateAdmin":false}
],
"allowExceptions":[
{"accesses":[{"type":"create","isAllowed":true}, 
{"type":"update","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false},
{"accesses":[{"type":"create","isAllowed":true}, 
{"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false}
]
} {code}
According to the general understanding, this is given the permission of column 
level, rather than the permission of table level or database level.

 

But these 2 new test case can pass:
{code:java}
{"name":"ALLOW 'drop dummy/*;' for user1",
  "request":{
    "resource":{"elements":{"database":"dummy", "table": "dummy"}},
    
"accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop 
dummy/dummy for user1"
  },
  "result":{"isAudited":true,"isAllowed":true,"policyId":8}
}
,
{"name":"ALLOW 'drop dummy;' for user1",
  "request":{
    "resource":{"elements":{"database":"dummy"}},
    
"accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop 
dummy for user1"
  },
  "result":{"isAudited":true,"isAllowed":true,"policyId":8}
}
 {code}
 

This doesn't seem reasonable.

Or can someone tell me how to only give users column-level permissions without 
involving table or database?

 

 

 

 

 

 


> User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and 
> database.
> -----------------------------------------------------------------------------------
>
>                 Key: RANGER-3921
>                 URL: https://issues.apache.org/jira/browse/RANGER-3921
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 3.0.0, 2.3.0, 2.4.0
>            Reporter: kirby zhou
>            Priority: Major
>
> In agents-common/src/test/resources/policyengine/test_policyengine_hive.json,
> we have hive policy:
> {code:java}
> {"id":8,"name":"db=dummy; table=*; 
> column=*","isEnabled":true,"isAuditEnabled":true,
> "resources":{"database":{"values":["dummy"]},"table":{"values":["*"]},"column":{"values":["*"]}},
> "policyItems":[
> {"accesses":[{"type":"create","isAllowed":true},{"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user1","user2"],"groups":[],"delegateAdmin":false}
> ],
> "allowExceptions":[
> {"accesses":[{"type":"create","isAllowed":true}, 
> {"type":"update","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false},
> {"accesses":[{"type":"create","isAllowed":true}, 
> {"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false}
> ]
> } {code}
> According to the general understanding, this is given the permission of 
> column level, rather than the permission of table level or database level.
>  
> But these 2 new test case can pass:
> {code:java}
> {"name":"ALLOW 'drop dummy/*;' for user1",
>   "request":{
>     "resource":{"elements":{"database":"dummy", "table": "dummy"}},
>     
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop 
> dummy/dummy for user1"
>   },
>   "result":{"isAudited":true,"isAllowed":true,"policyId":8}
> }
> ,
> {"name":"ALLOW 'drop dummy;' for user1",
>   "request":{
>     "resource":{"elements":{"database":"dummy"}},
>     
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop 
> dummy for user1"
>   },
>   "result":{"isAudited":true,"isAllowed":true,"policyId":8}
> } ,
> {"name":"ALLOW 'drop dummy/udf=dummy;' for user1",
>   "request":{
>     "resource":{"elements":{"database":"dummy", "udf":"dummy"}},
>     
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop 
> dummy for user1"
>   },
>   "result":{"isAudited":false,"isAllowed":true,"policyId":8}
> } {code}
>  
> This doesn't seem reasonable. A user who can not drop UDF, but can drop whole 
> database.
>  
> Or can someone tell me how to only give users column-level permissions 
> without involving table or database?
>  
>  
>  
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-3921) User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and database.

Reply via email to

[jira] [Updated] (RANGER-3921) User with DROP ACL on "db=dummy; table=; column=" can do drop table and database.