Andrew Wong has posted comments on this change. ( http://gerrit.cloudera.org:8080/15436 )
Change subject: [ranger] fix incorrect authz enforcement in Ranger authz provider ...................................................................... Patch Set 5: (1 comment) http://gerrit.cloudera.org:8080/#/c/15436/1/src/kudu/ranger/ranger_client.h File src/kudu/ranger/ranger_client.h: http://gerrit.cloudera.org:8080/#/c/15436/1/src/kudu/ranger/ranger_client.h@57 PS1, Line 57: enum Scope { > I think the implication mentioned in this article is the wildcard you were We discussed this a bit online and there's still an inconsistency I'd like to highlight. When a user has the privileges: select on db=a->table=b today, that user is allowed to act as though they had: select on db=a->table=b->column=* I.e. they'd be able to scan any and all columns in a.b. However, if a user has the privileges: metadata on db=a today, that user is _not_ allowed to act as though they had: metadata on db=a->table=* I.e. they wouldn't be able to list any tables. Given what you've mentioned about Ranger's lack of resource hierarchy implications, this latter behavior looks correct and the former looks incorrect. However, the former behavior is understandable because it doesn't seem like it makes much sense for `select on db=a->table=b` to disallow scans on that table -- the current behavior seems correct. It'd be good to understand if other tabular systems (e.g. Hive and Impala) that use Ranger follow this behavior, or if they rely on explicit `column=*`. If so, we should consider trying to check if the user has `column=*` privileges before authorizing every column in Ranger. -- To view, visit http://gerrit.cloudera.org:8080/15436 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I267aabc5f224ee7ceeffd6187785595dd6f16487 Gerrit-Change-Number: 15436 Gerrit-PatchSet: 5 Gerrit-Owner: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Adar Dembo <a...@cloudera.com> Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com> Gerrit-Reviewer: Attila Bukor <abu...@apache.org> Gerrit-Reviewer: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Sun, 15 Mar 2020 06:39:08 +0000 Gerrit-HasComments: Yes