[jira] [Commented] (RANGER-5610) getResourceACLs for a principal should consider validitySchedule of principal for ACL creation

Thu, 28 May 2026 17:37:13 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-5610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18084239#comment-18084239
 ] 

Madhan Neethiraj commented on RANGER-5610:
------------------------------------------

[~rmani]  - {{getResourceACLs()}} return 4 possible results for each 
permission: allowed, denied, conditional, undetermined. In case of conditional 
allow or deny,  {{RangerHiveAuthorizer.getPermission()}} returns the permission 
name with suffix "{{{}(ACCESS_CONDITIONAL){}}}", like "{{{}select 
(ACCESS_CONDITIONAL){}}}". If such permissions are not to be included, I 
suggest to skip them in{{RangerHiveAuthorizer.getHivePrivilegeInfos()}}:

{code}
Map<String, RangerResourceACLs.AccessResult> userAccessResult = 
userRangerACLs.get(user);

for (Privilege userACL : userACLs.keySet()) {
    RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());

    if (policy != null) {
        String aclname = getPermission(userACL, userAccessResult, policy);

        if (StringUtils.equals(aclName, userACL.name()) { // this will return 
false if the grant is conditional <<== add this `if`
            HivePrivilegeInfo privilegeInfo = 
createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, 
partValues, aclname, policy);

            ret.add(privilegeInfo);
        }
    }
}
{code}

> getResourceACLs for a principal should consider validitySchedule of principal 
> for ACL creation
> ----------------------------------------------------------------------------------------------
>
>                 Key: RANGER-5610
>                 URL: https://issues.apache.org/jira/browse/RANGER-5610
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 3.0.0
>            Reporter: Ramesh Mani
>            Assignee: Ramesh Mani
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> getResourceACLs for a principal should consider validitySchedule of principal 
> for ACL creation. Currently getResourceACLs returns a set of ACLs for the 
> principal but if the principal is has a validity period which is expired, it 
> is giving the ACLs which are there which is not correct. 
> This scenario occurs in GDS where a principal validity period is expired and 
> ACL still show the access given, even though there is no access.
> Show Privileges in RangerHiveAuthorizer uses the getResourceACLs which also 
> result in wrong permission sets shown when the principal validity period 
> expired.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to