[jira] [Updated] (RANGER-4958) [Ranger Trino] Update (merge into) & Procedure failed with Access Denied error (Iceberg catalog)

[Manh Nguyen (Jira)]

     [ 
https://issues.apache.org/jira/browse/RANGER-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Manh Nguyen updated RANGER-4958:
--------------------------------
    Description: 
h1. Environment details
 * Hadoop 3.0.0-cdh6.3.2
 * Hive 2.1.1 cdh6.3.2
 * Trino 425
 * ranger-trino-plugin-3.0.0-SNAPSHOT

h1. Steps to reproduce
 - Iceberg catalog config:
{code:java}
connector.name=iceberg
hive.metastore.uri=thrift://hn-fornix-testing-bigdata-1.ghtklab.local:9083
hive.config.resources=/etc/hadoop/conf/core-site.xml,/etc/hadoop/conf/hdfs-site.xml
hive.metastore.authentication.type=KERBEROS
hive.metastore.service.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
hive.metastore.client.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
hive.metastore.client.keytab=/etc/security/keytabs/hive/hive_thrift.keytab
hive.hdfs.authentication.type=KERBEROS
hive.hdfs.trino.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
hive.hdfs.trino.keytab=/etc/security/keytabs/hive/hive_thrift.keytab
iceberg.register-table-procedure.enabled=true
iceberg.unique-table-location=false
iceberg.security=ALLOW_ALL{code}

 - Ranger policy for user run this query: (image attached)

!image-2024-10-14-18-23-08-645.png!

all queries run with user which has full access to all resources (ranger policy 
attached) 
{code:java}
-- create iceberg table
CREATE TABLE iceberg.test.test_iceberg
WITH (
    format = 'PARQUET'
) AS
SELECT 1 as id, 10 as users_count
UNION ALL
SELECT 2 as id, 20 as users_count
UNION ALL
SELECT 3 as id, 30 as users_count;

-- update (merge into) iceberg table
UPDATE iceberg.test.test_iceberg SET users_count = 100 WHERE id = 1;
MERGE INTO iceberg.test.test_iceberg AS target
USING (SELECT 1 as id, 100 as users_count) AS source
ON target.id = source.id
WHEN MATCHED THEN
    UPDATE SET users_count = source.users_count + target.users_count
WHEN NOT MATCHED THEN
    INSERT (id, users_count) VALUES (source.id, source.users_count);{code}
 
h1. Error details

[4] Query failed (#20241007_104507_26890_cttwz): Access Denied: Cannot update 
columns [users_count] in table iceberg.test.test_iceberg 
io.trino.spi.security.AccessDeniedException: Access Denied: Cannot update 
columns [users_count] in table iceberg.test.test_iceberg
 
h1. Expected behavior

The update (merge into) procedure should be successful.
 
 
 

  was:
h1. Environment details
 * Hadoop 3.0.0-cdh6.3.2
 * Hive 2.1.1 cdh6.3.2
 * Trino 425
 * ranger-trino-plugin-3.0.0-SNAPSHOT

h1. Steps to reproduce
 - Iceberg catalog config:
{code:java}
connector.name=iceberg
hive.metastore.uri=thrift://hn-fornix-testing-bigdata-1.ghtklab.local:9083
hive.config.resources=/etc/hadoop/conf/core-site.xml,/etc/hadoop/conf/hdfs-site.xml
hive.metastore.authentication.type=KERBEROS
hive.metastore.service.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
hive.metastore.client.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
hive.metastore.client.keytab=/etc/security/keytabs/hive/hive_thrift.keytab
hive.hdfs.authentication.type=KERBEROS
hive.hdfs.trino.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
hive.hdfs.trino.keytab=/etc/security/keytabs/hive/hive_thrift.keytab
iceberg.register-table-procedure.enabled=true
iceberg.unique-table-location=false
iceberg.security=ALLOW_ALL{code}

 - Ranger policy for user run this query: (image attached)

!image-2024-10-14-18-23-08-645.png!

all queries run with user which has full access to all resources (ranger policy 
attached) 
{code:java}
-- create iceberg table
CREATE TABLE iceberg.default.test_iceberg
WITH (
    format = 'PARQUET'
) AS
SELECT 1 as id, 10 as users_count
UNION ALL
SELECT 2 as id, 20 as users_count
UNION ALL
SELECT 3 as id, 30 as users_count;

-- update (merge into) iceberg table
UPDATE iceberg.test.test_iceberg SET users_count = 100 WHERE id = 1;
MERGE INTO iceberg.test.test_iceberg AS target
USING (SELECT 1 as id, 100 as users_count) AS source
ON target.id = source.id
WHEN MATCHED THEN
    UPDATE SET users_count = source.users_count + target.users_count
WHEN NOT MATCHED THEN
    INSERT (id, users_count) VALUES (source.id, source.users_count);{code}
 
h1. Error details

[4] Query failed (#20241007_104507_26890_cttwz): Access Denied: Cannot update 
columns [users_count] in table iceberg.test.test_iceberg 
io.trino.spi.security.AccessDeniedException: Access Denied: Cannot update 
columns [users_count] in table iceberg.test.test_iceberg
 
h1. Expected behavior

The update (merge into) procedure should be successful.
 
 


> [Ranger Trino] Update (merge into) & Procedure failed with Access Denied 
> error (Iceberg catalog)
> ------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-4958
>                 URL: https://issues.apache.org/jira/browse/RANGER-4958
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Manh Nguyen
>            Priority: Major
>         Attachments: Screenshot from 2024-10-14 18-22-47.png
>
>
> h1. Environment details
>  * Hadoop 3.0.0-cdh6.3.2
>  * Hive 2.1.1 cdh6.3.2
>  * Trino 425
>  * ranger-trino-plugin-3.0.0-SNAPSHOT
> h1. Steps to reproduce
>  - Iceberg catalog config:
> {code:java}
> connector.name=iceberg
> hive.metastore.uri=thrift://hn-fornix-testing-bigdata-1.ghtklab.local:9083
> hive.config.resources=/etc/hadoop/conf/core-site.xml,/etc/hadoop/conf/hdfs-site.xml
> hive.metastore.authentication.type=KERBEROS
> hive.metastore.service.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
> hive.metastore.client.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
> hive.metastore.client.keytab=/etc/security/keytabs/hive/hive_thrift.keytab
> hive.hdfs.authentication.type=KERBEROS
> hive.hdfs.trino.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
> hive.hdfs.trino.keytab=/etc/security/keytabs/hive/hive_thrift.keytab
> iceberg.register-table-procedure.enabled=true
> iceberg.unique-table-location=false
> iceberg.security=ALLOW_ALL{code}
>  - Ranger policy for user run this query: (image attached)
> !image-2024-10-14-18-23-08-645.png!
> all queries run with user which has full access to all resources (ranger 
> policy attached) 
> {code:java}
> -- create iceberg table
> CREATE TABLE iceberg.test.test_iceberg
> WITH (
>     format = 'PARQUET'
> ) AS
> SELECT 1 as id, 10 as users_count
> UNION ALL
> SELECT 2 as id, 20 as users_count
> UNION ALL
> SELECT 3 as id, 30 as users_count;
> -- update (merge into) iceberg table
> UPDATE iceberg.test.test_iceberg SET users_count = 100 WHERE id = 1;
> MERGE INTO iceberg.test.test_iceberg AS target
> USING (SELECT 1 as id, 100 as users_count) AS source
> ON target.id = source.id
> WHEN MATCHED THEN
>     UPDATE SET users_count = source.users_count + target.users_count
> WHEN NOT MATCHED THEN
>     INSERT (id, users_count) VALUES (source.id, source.users_count);{code}
>  
> h1. Error details
> [4] Query failed (#20241007_104507_26890_cttwz): Access Denied: Cannot update 
> columns [users_count] in table iceberg.test.test_iceberg 
> io.trino.spi.security.AccessDeniedException: Access Denied: Cannot update 
> columns [users_count] in table iceberg.test.test_iceberg
>  
> h1. Expected behavior
> The update (merge into) procedure should be successful.
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)