[
https://issues.apache.org/jira/browse/RANGER-3985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jonas Hartwig updated RANGER-3985:
----------------------------------
Description:
The ranger rules to create tables in Trino currently check schema level to
create.
If this is set, anyone can create any table/view. There is no way to limit the
naming of tables.
However e.g. drop, alter rights are granted on table level. So user might
create any table, but not remove them.
To allow a more strict implementation view/table creation should verify table
name as well.
In that case the previous behaviour can be created by adding a rule to allow
create on catalog/schema/*.
was:The ranger rules to create tables in Trino only check schema level on
create. They should check by table name as well. It easily get inconsistent, if
users or groups are allowed to read, drop and alter certain tables like
t_<user>_* but may create any. So rules to create all tables should then be
catalog/schema/*
> Trino plugin: Check table name when creating tables
> ---------------------------------------------------
>
> Key: RANGER-3985
> URL: https://issues.apache.org/jira/browse/RANGER-3985
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Affects Versions: 2.3.0
> Reporter: Jonas Hartwig
> Priority: Major
> Fix For: 2.4.0
>
>
> The ranger rules to create tables in Trino currently check schema level to
> create.
> If this is set, anyone can create any table/view. There is no way to limit
> the naming of tables.
> However e.g. drop, alter rights are granted on table level. So user might
> create any table, but not remove them.
> To allow a more strict implementation view/table creation should verify table
> name as well.
> In that case the previous behaviour can be created by adding a rule to allow
> create on catalog/schema/*.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
