Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not throw an exception when an INSERT/DELETE grant is issued from beeline

Tue, 27 Dec 2016 08:30:53 -0800 


> On Dec. 27, 2016, 9:39 a.m., Ankita Sinha wrote:
> > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java,
> >  line 1186
> > <https://reviews.apache.org/r/53967/diff/1/?file=1568248#file1568248line1186>
> >
> >     Can "Insert" and "Delete" be added as enum in HiveAccessType and used.

Given that "insert" and "delete" operations are mapped to "update" permission 
in RangerHiveAuthorizer.getAccessType(), I would suggest  
RangerHiveAuthorizer.createGrantRevokeData() to map them similarly.

            } else if (StringUtils.equalsIgnoreCase(privName, "insert") || 
StringUtils.equalsIgnoreCase(privName, "delete")) {
                
ret.getAccessTypes().add(HiveAccessType.UPDATE.name().toLowerCase());
            } else {
                LOG.warn("grant/revoke: unexpected privilege type '" + privName 
+ "'. Ignored");
            }


- Madhan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/#review160143
-----------------------------------------------------------


On Nov. 23, 2016, 7:18 p.m., Yan Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53967/
> -----------------------------------------------------------
> 
> (Updated Nov. 23, 2016, 7:18 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: Ranger-1210
>     https://issues.apache.org/jira/browse/Ranger-1210
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> beeline>grant insert on test10 to user userx;
> returns OK.
> 
> But actually the hive log has a warning entry:
> grant/revoke: unexpected privilege type 'DELETE'. Ignored
> The policy is actually created but with no policy items. While the "UPDATE" 
> grant properly sets up the policy item.
> According to 
> https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
> Both INSERT and DELETE should be mapped to UPDATE.
> What user experiences is that the grant of INSERT/DELETE has no effect at all 
> even the return status is good.
> So we should throw an exception with an informational message about the 
> INSERR/DELET=>UPDATE mapping.
> 
> 
> Diffs
> -----
> 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  92fc2e7 
> 
> Diff: https://reviews.apache.org/r/53967/diff/
> 
> 
> Testing
> -------
> 
> Manual tests ok.
> 
> 
> Thanks,
> 
> Yan Zhou
> 
>

Reply via email to