[
https://issues.apache.org/jira/browse/RANGER-5616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated RANGER-5616:
--------------------------------
Description:
We found that the column of '{{grant_option}}' is not corrected populated in
{{SHOW ROLE GRANT USER/GROUP}} in Hive.
Take {{SHOW ROLE GRANT USER}} for example. In this case, we execute the
following in
[RangerHiveAuthorizer#getRoleGrantInfoForPrincipal()|https://github.com/apache/ranger/blob/d1589d6/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L494-L498].
That is, we instantiate a {{RoleMember}} by "{{new RoleMember(principalName, /*
isAdmin */ false)}}", which hardcoded the field '{{isAdmin}}' to null.
{code:java}
case "USER":
RoleMember userRoleMember = new
RoleMember(principalName, /* isAdmin */ false);
ret.add(getHiveRoleGrant(rangerRole,
userRoleMember, type));
break;
{code}
Later, when populating the field of '{{grantOption}}' in
[HiveRoleGrant|https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java],
we use the value of '{{userRoleMember}}''s '{{isAdmin}}' that was hardcoded to
{{false}}. This is incorrect.
{code:java}
private HiveRoleGrant getHiveRoleGrant(RangerRole role, RoleMember
roleMember, String type) {
HiveRoleGrant ret = new HiveRoleGrant();
ret.setRoleName(role.getName());
ret.setGrantOption(roleMember.getIsAdmin()); // roleMember.getIsAdmin()
was hardcoded to false.
ret.setGrantor(role.getCreatedByUser());
ret.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
ret.setPrincipalName(roleMember.getName());
ret.setPrincipalType(type);
if (role.getUpdateTime() != null) {
ret.setGrantTime((int) (role.getUpdateTime().getTime() / 1000));
}
return ret;
}
{code}
was:
We found that the column of '{{grant_option}}' is not corrected populated in
{{SHOW ROLE GRANT USER/GROUP}} in Hive.
Take SHOW ROLE GRANT USER for example. In this case, we execute the following
in
[RangerHiveAuthorizer#getRoleGrantInfoForPrincipal()|https://github.com/apache/ranger/blob/d1589d6/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L494-L498].
That is, we instantiate a {{RoleMember}} by "{{new RoleMember(principalName, /*
isAdmin */ false)}}", which hardcoded the field '{{isAdmin}}' to null.
{code:java}
case "USER":
RoleMember userRoleMember = new
RoleMember(principalName, /* isAdmin */ false);
ret.add(getHiveRoleGrant(rangerRole,
userRoleMember, type));
break;
{code}
Later, when populating the field of '{{grantOption}}' in
[HiveRoleGrant|https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java],
we use the value of '{{userRoleMember}}''s '{{isAdmin}}' that was hardcoded to
{{false}}. This is incorrect.
{code:java}
private HiveRoleGrant getHiveRoleGrant(RangerRole role, RoleMember
roleMember, String type) {
HiveRoleGrant ret = new HiveRoleGrant();
ret.setRoleName(role.getName());
ret.setGrantOption(roleMember.getIsAdmin()); // roleMember.getIsAdmin()
was hardcoded to false.
ret.setGrantor(role.getCreatedByUser());
ret.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
ret.setPrincipalName(roleMember.getName());
ret.setPrincipalType(type);
if (role.getUpdateTime() != null) {
ret.setGrantTime((int) (role.getUpdateTime().getTime() / 1000));
}
return ret;
}
{code}
> grant_option is not corrected populated in SHOW GRANT USER/GROUP in Hive
> ------------------------------------------------------------------------
>
> Key: RANGER-5616
> URL: https://issues.apache.org/jira/browse/RANGER-5616
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Fang-Yu Rao
> Priority: Major
>
> We found that the column of '{{grant_option}}' is not corrected populated in
> {{SHOW ROLE GRANT USER/GROUP}} in Hive.
> Take {{SHOW ROLE GRANT USER}} for example. In this case, we execute the
> following in
> [RangerHiveAuthorizer#getRoleGrantInfoForPrincipal()|https://github.com/apache/ranger/blob/d1589d6/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L494-L498].
> That is, we instantiate a {{RoleMember}} by "{{new RoleMember(principalName,
> /* isAdmin */ false)}}", which hardcoded the field '{{isAdmin}}' to null.
> {code:java}
> case "USER":
> RoleMember userRoleMember = new
> RoleMember(principalName, /* isAdmin */ false);
> ret.add(getHiveRoleGrant(rangerRole,
> userRoleMember, type));
> break;
> {code}
> Later, when populating the field of '{{grantOption}}' in
> [HiveRoleGrant|https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java],
> we use the value of '{{userRoleMember}}''s '{{isAdmin}}' that was hardcoded
> to {{false}}. This is incorrect.
> {code:java}
> private HiveRoleGrant getHiveRoleGrant(RangerRole role, RoleMember
> roleMember, String type) {
> HiveRoleGrant ret = new HiveRoleGrant();
> ret.setRoleName(role.getName());
> ret.setGrantOption(roleMember.getIsAdmin()); //
> roleMember.getIsAdmin() was hardcoded to false.
> ret.setGrantor(role.getCreatedByUser());
> ret.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
> ret.setPrincipalName(roleMember.getName());
> ret.setPrincipalType(type);
> if (role.getUpdateTime() != null) {
> ret.setGrantTime((int) (role.getUpdateTime().getTime() / 1000));
> }
> return ret;
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
