[
https://issues.apache.org/jira/browse/HAWQ-1279?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hongxu Ma updated HAWQ-1279:
----------------------------
Description:
namespace_path is cached in each psql session and the cache invalidation is
triggered by Grant/Revoke SQL.
When enable_ranger, Grant/Revoke SQL is no longer use, so the cache prevent a
ack-check request sending.
Example:
{code}
// create table t(i int); => failed
[{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
[{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
[{""resource"":{""database"":""postgres"",""schema"":""public""},""privileges"":[""usage""],""allowed"":false}]
// grant usage and create permissions to public schema in ranger and try again
=> failed again
[{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
[{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
// why not send a request for USAGE??
{code}
was:
namespace_path is cached in each psql session and it the cache invalidation is
triggered by Grant/Revoke SQL.
When enable_ranger, Grant/Revoke SQL is no longer use, so the cache prevent a
ack-check request sending.
Example:
{code}
// create table t(i int); => failed
[{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
[{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
[{""resource"":{""database"":""postgres"",""schema"":""public""},""privileges"":[""usage""],""allowed"":false}]
// grant usage and create permissions to public schema in ranger and try again
=> failed again
[{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
[{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
// why not send a request for USAGE??
{code}
> Force to recompute namespace_path when enable_ranger
> ----------------------------------------------------
>
> Key: HAWQ-1279
> URL: https://issues.apache.org/jira/browse/HAWQ-1279
> Project: Apache HAWQ
> Issue Type: Sub-task
> Components: PXF, Security
> Reporter: Hongxu Ma
> Assignee: Hongxu Ma
> Fix For: backlog
>
>
> namespace_path is cached in each psql session and the cache invalidation is
> triggered by Grant/Revoke SQL.
> When enable_ranger, Grant/Revoke SQL is no longer use, so the cache prevent a
> ack-check request sending.
> Example:
> {code}
> // create table t(i int); => failed
> [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
> [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
> [{""resource"":{""database"":""postgres"",""schema"":""public""},""privileges"":[""usage""],""allowed"":false}]
> // grant usage and create permissions to public schema in ranger and try
> again => failed again
> [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
> [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}]
> // why not send a request for USAGE??
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
