[
https://issues.apache.org/jira/browse/RANGER-5612?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated RANGER-5612:
--------------------------------
Description:
When Ranger is the authorization provider for Apache Hive,
[RangerHiveAuthorizer#getRoleGrantInfoForPrincipal()|https://github.com/apache/ranger/blob/d1589d6/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L457-L528]
is used to process the {{SHOW ROLE GRANT USER}} and {{SHOW ROLE GRANT GROUP}}
statements.
Under the covers,
[RangerHiveAuthorizer#getHiveRoleGrant()|https://github.com/apache/ranger/blob/d1589d6/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L3226-L3241]
is used to populate the related fields in
[HiveRoleGrant|https://github.com/apache/hive/blob/3d21fc4/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java],
including '{{{}grantor{}}}' and '{{{}grantTime{}}}', which denote the the
principal user that granted the role to the grantee, and the respective time of
the grant operation (from the name of the fields). An example output of this
could be found at
[https://hive.apache.org/docs/latest/language/sql-standard-based-hive-authorization/#:~:text=Example%20of%20Show%20Role%20Grant].
However, take {{SHOW ROLE GRANT USER}} for example. The field '{{{}grantor{}}}'
is populated with the principal user that created the role, and the field
'{{{}grantTime{}}}' is populated with the time when this role was updated. This
does not seem correct.
{code:java}
private HiveRoleGrant getHiveRoleGrant(RangerRole role, RoleMember
roleMember, String type) {
HiveRoleGrant ret = new HiveRoleGrant();
ret.setRoleName(role.getName());
ret.setGrantOption(roleMember.getIsAdmin());
ret.setGrantor(role.getCreatedByUser()); // '{{grantor}}' is populated
with the principal user that created the role.
ret.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
ret.setPrincipalName(roleMember.getName());
ret.setPrincipalType(type);
if (role.getUpdateTime() != null) {
ret.setGrantTime((int) (role.getUpdateTime().getTime() / 1000)); //
'{{grantTime}}' is populated with the time when this role was updated.
}
return ret;
}
{code}
To address the issue above, we may have to add additional fields to
[RoleMember|https://github.com/apache/ranger/blob/d1589d629d0b9b27d4e2130c17d807998a22ba97/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java#L232-L292]
so that {{RangerHiveAuthorizer#getHiveRoleGrant()}} will be able to retrieve
these 2 pieces of information.
{code:java}
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY)
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@JsonIgnoreProperties(ignoreUnknown = true)
public static class RoleMember implements java.io.Serializable {
private static final long serialVersionUID = 1L;
private String name;
private boolean isAdmin;
// We may need 2 fields to to denote the grantor and the grantTime
// for a RoleMember.
public RoleMember() {
this(null, false);
}
....
}
{code}
was:
When Ranger is the authorization provider for Apache Hive,
[RangerHiveAuthorizer#getRoleGrantInfoForPrincipal()|https://github.com/apache/ranger/blob/d1589d6/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L457-L528]
is used to process the {{SHOW ROLE GRANT USER}} and {{SHOW ROLE GRANT GROUP}}
statements.
Under the covers,
[RangerHiveAuthorizer#getHiveRoleGrant()|https://github.com/apache/ranger/blob/d1589d6/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L3226-L3241]
is used to populate the related fields in
[HiveRoleGrant|https://github.com/apache/hive/blob/3d21fc4/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java],
including '{{{}grantor{}}}' and '{{{}grantTime{}}}', which denote the the
principal user that granted the role to the grantee, and the respective time of
the grant operation (from the name of the fields). An example output of this
could be found at
[https://hive.apache.org/docs/latest/language/sql-standard-based-hive-authorization/#:~:text=Example%20of%20Show%20Role%20Grant].
However, take {{SHOW ROLE GRANT USER}} for example. The field '{{{}grantor{}}}'
is populated with the principal user that created the role, and the field
'{{{}grantTime{}}}' is populated with the time when this role was updated. This
does not seem correct.
{code:java}
private HiveRoleGrant getHiveRoleGrant(RangerRole role, RoleMember
roleMember, String type) {
HiveRoleGrant ret = new HiveRoleGrant();
ret.setRoleName(role.getName());
ret.setGrantOption(roleMember.getIsAdmin());
ret.setGrantor(role.getCreatedByUser()); // '{{grantor}}' is populated
with the principal user that created the role.
ret.setGrantorType(HivePrincipal.HivePrincipalType.USER.name()); //
'{{grantTime}}' is populated with the time when this role was updated.
ret.setPrincipalName(roleMember.getName());
ret.setPrincipalType(type);
if (role.getUpdateTime() != null) {
ret.setGrantTime((int) (role.getUpdateTime().getTime() / 1000));
}
return ret;
}
{code}
To address the issue above, we may have to add additional fields to
[RoleMember|https://github.com/apache/ranger/blob/d1589d629d0b9b27d4e2130c17d807998a22ba97/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java#L232-L292]
so that {{RangerHiveAuthorizer#getHiveRoleGrant()}} will be able to retrieve
these 2 pieces of information.
{code:java}
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY)
@JsonInclude(JsonInclude.Include.NON_EMPTY)
@JsonIgnoreProperties(ignoreUnknown = true)
public static class RoleMember implements java.io.Serializable {
private static final long serialVersionUID = 1L;
private String name;
private boolean isAdmin;
// We may need 2 fields to to denote the grantor and the grantTime
// for a RoleMember.
public RoleMember() {
this(null, false);
}
....
}
{code}
> grantor and grantTime are not corrected shown in SHOW ROLE GRANT USER/GROUP
> ---------------------------------------------------------------------------
>
> Key: RANGER-5612
> URL: https://issues.apache.org/jira/browse/RANGER-5612
> Project: Ranger
> Issue Type: Bug
> Components: admin, plugins
> Reporter: Fang-Yu Rao
> Priority: Major
>
> When Ranger is the authorization provider for Apache Hive,
> [RangerHiveAuthorizer#getRoleGrantInfoForPrincipal()|https://github.com/apache/ranger/blob/d1589d6/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L457-L528]
> is used to process the {{SHOW ROLE GRANT USER}} and {{SHOW ROLE GRANT
> GROUP}} statements.
>
> Under the covers,
> [RangerHiveAuthorizer#getHiveRoleGrant()|https://github.com/apache/ranger/blob/d1589d6/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L3226-L3241]
> is used to populate the related fields in
> [HiveRoleGrant|https://github.com/apache/hive/blob/3d21fc4/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java],
> including '{{{}grantor{}}}' and '{{{}grantTime{}}}', which denote the the
> principal user that granted the role to the grantee, and the respective time
> of the grant operation (from the name of the fields). An example output of
> this could be found at
> [https://hive.apache.org/docs/latest/language/sql-standard-based-hive-authorization/#:~:text=Example%20of%20Show%20Role%20Grant].
>
> However, take {{SHOW ROLE GRANT USER}} for example. The field
> '{{{}grantor{}}}' is populated with the principal user that created the role,
> and the field '{{{}grantTime{}}}' is populated with the time when this role
> was updated. This does not seem correct.
> {code:java}
> private HiveRoleGrant getHiveRoleGrant(RangerRole role, RoleMember
> roleMember, String type) {
> HiveRoleGrant ret = new HiveRoleGrant();
> ret.setRoleName(role.getName());
> ret.setGrantOption(roleMember.getIsAdmin());
> ret.setGrantor(role.getCreatedByUser()); // '{{grantor}}' is
> populated with the principal user that created the role.
> ret.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
> ret.setPrincipalName(roleMember.getName());
> ret.setPrincipalType(type);
> if (role.getUpdateTime() != null) {
> ret.setGrantTime((int) (role.getUpdateTime().getTime() / 1000));
> // '{{grantTime}}' is populated with the time when this role was updated.
> }
> return ret;
> }
> {code}
>
> To address the issue above, we may have to add additional fields to
> [RoleMember|https://github.com/apache/ranger/blob/d1589d629d0b9b27d4e2130c17d807998a22ba97/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java#L232-L292]
> so that {{RangerHiveAuthorizer#getHiveRoleGrant()}} will be able to retrieve
> these 2 pieces of information.
> {code:java}
> @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY)
> @JsonInclude(JsonInclude.Include.NON_EMPTY)
> @JsonIgnoreProperties(ignoreUnknown = true)
> public static class RoleMember implements java.io.Serializable {
> private static final long serialVersionUID = 1L;
> private String name;
> private boolean isAdmin;
> // We may need 2 fields to to denote the grantor and the grantTime
> // for a RoleMember.
> public RoleMember() {
> this(null, false);
> }
> ....
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
