Fang-Yu Rao created RANGER-5616:
-----------------------------------
Summary: grant_option is not corrected populated in SHOW GRANT
USER/GROUP in Hive
Key: RANGER-5616
URL: https://issues.apache.org/jira/browse/RANGER-5616
Project: Ranger
Issue Type: Bug
Components: plugins
Reporter: Fang-Yu Rao
We found that the column of '{{grant_option}}' is not corrected populated in
{{SHOW ROLE GRANT USER/GROUP}} in Hive.
Take SHOW ROLE GRANT USER for example. In this case, we execute the following
in
[RangerHiveAuthorizer#getRoleGrantInfoForPrincipal()|https://github.com/apache/ranger/blob/d1589d6/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L494-L498].
That is, we instantiate a {{RoleMember}} by "{{new RoleMember(principalName, /*
isAdmin */ false)}}", which hardcoded the field '{{isAdmin}}' to null.
{code:java}
case "USER":
RoleMember userRoleMember = new
RoleMember(principalName, /* isAdmin */ false);
ret.add(getHiveRoleGrant(rangerRole,
userRoleMember, type));
break;
{code}
Later, when populating the field of '{{grantOption}}' in
[HiveRoleGrant|https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java],
we use the value of '{{userRoleMember}}''s '{{isAdmin}}' that was hardcoded to
{{false}}. This is incorrect.
{code:java}
private HiveRoleGrant getHiveRoleGrant(RangerRole role, RoleMember
roleMember, String type) {
HiveRoleGrant ret = new HiveRoleGrant();
ret.setRoleName(role.getName());
ret.setGrantOption(roleMember.getIsAdmin()); // roleMember.getIsAdmin()
was hardcoded to false.
ret.setGrantor(role.getCreatedByUser());
ret.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
ret.setPrincipalName(roleMember.getName());
ret.setPrincipalType(type);
if (role.getUpdateTime() != null) {
ret.setGrantTime((int) (role.getUpdateTime().getTime() / 1000));
}
return ret;
}
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
