[jira] [Updated] (RANGER-5616) grant_option is not corrected populated in SHOW ROLE GRANT USER/GROUP in Hive

Tue, 26 May 2026 17:20:08 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-5616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fang-Yu Rao updated RANGER-5616:
--------------------------------
    Summary: grant_option is not corrected populated in SHOW ROLE GRANT 
USER/GROUP in Hive  (was: grant_option is not corrected populated in SHOW GRANT 
USER/GROUP in Hive)

> grant_option is not corrected populated in SHOW ROLE GRANT USER/GROUP in Hive
> -----------------------------------------------------------------------------
>
>                 Key: RANGER-5616
>                 URL: https://issues.apache.org/jira/browse/RANGER-5616
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>            Reporter: Fang-Yu Rao
>            Priority: Major
>
> We found that the column of '{{{}grant_option{}}}' is not corrected populated 
> in {{SHOW ROLE GRANT USER/GROUP}} in Hive.
>  
> Take {{SHOW ROLE GRANT USER}} for example. In this case, we execute the 
> following in 
> [RangerHiveAuthorizer#getRoleGrantInfoForPrincipal()|https://github.com/apache/ranger/blob/d1589d6/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L494-L498].
> That is, we first instantiate a {{RoleMember}} by "{{{}new 
> RoleMember(principalName, /* isAdmin */ false){}}}", which hardcodes the 
> field '{{{}isAdmin{}}}' to {{null}}.
> {code:java}
>                         case "USER":
>                             RoleMember userRoleMember = new 
> RoleMember(principalName, /* isAdmin */ false);
>                             ret.add(getHiveRoleGrant(rangerRole, 
> userRoleMember, type));
>                             break;
> {code}
>  
> Later, when populating the field of '{{{}grantOption{}}}' in 
> [HiveRoleGrant|https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java],
>  we use the value of {{{}userRoleMember{}}}'s '{{{}isAdmin{}}}' that was 
> hardcoded to {{{}false{}}}. This is incorrect.
> {code:java}
>     private HiveRoleGrant getHiveRoleGrant(RangerRole role, RoleMember 
> roleMember, String type) {
>         HiveRoleGrant ret = new HiveRoleGrant();
>         ret.setRoleName(role.getName());
>         ret.setGrantOption(roleMember.getIsAdmin()); // 
> roleMember.getIsAdmin() was hardcoded to false.
>         ret.setGrantor(role.getCreatedByUser());
>         ret.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
>         ret.setPrincipalName(roleMember.getName());
>         ret.setPrincipalType(type);
>         if (role.getUpdateTime() != null) {
>             ret.setGrantTime((int) (role.getUpdateTime().getTime() / 1000));
>         }
>         return ret;
>     }
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to