Hao Hao has posted comments on this change. ( http://gerrit.cloudera.org:8080/15436 )
Change subject: [ranger] fix incorrect authz enforcement in Ranger authz provider ...................................................................... Patch Set 5: (2 comments) http://gerrit.cloudera.org:8080/#/c/15436/1/src/kudu/ranger/ranger_client.h File src/kudu/ranger/ranger_client.h: http://gerrit.cloudera.org:8080/#/c/15436/1/src/kudu/ranger/ranger_client.h@57 PS1, Line 57: enum Scope { > Just jumping in to say that I previously suggested that we formally documen The reason why we are seeing this 'inconsistency' is because we do require 'METADATA on table' for list tables as documented with the Sentry integration: https://kudu.apache.org/docs/security.html#_policy_for_kudu_masters. And it happens to work with Sentry even user only has 'metadata on db=a', because Sentry has a different policy evaluation model as we discussed. In terms of other tabular systems in Ranger world, I tested with Impala authz, if user only has 'any on db=a', this user is still able to list the tables in the database. And I agree it will make more sense if user has ''metadata on db=a' can list tables in that database (similar to the privilege required to scan a table). So in sum, we can update the privilege check against list tables to allow if user has METADATA on database, then it can list tables belongs to that database. If you agree, I can do a follow up patch for it. And for Adar's comment, I think the reason why we had this patch is we don't have a good test coverage yet (with miniRanger). We do have a clear Kudu privilege enforcement model as described in the doc I linked. But we failed to mention Ranger policy evaluation model (either in ranger_client or ranger_authz_provider). The comment for 'Scope' here was try to describe it, and I will try to update it to be more clear. http://gerrit.cloudera.org:8080/#/c/15436/5/src/kudu/ranger/ranger_client.cc File src/kudu/ranger/ranger_client.cc: http://gerrit.cloudera.org:8080/#/c/15436/5/src/kudu/ranger/ranger_client.cc@221 PS5, Line 221: return nullptr; > could use __builtin_unreachable() here instead. Done -- To view, visit http://gerrit.cloudera.org:8080/15436 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I267aabc5f224ee7ceeffd6187785595dd6f16487 Gerrit-Change-Number: 15436 Gerrit-PatchSet: 5 Gerrit-Owner: Hao Hao <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Thu, 19 Mar 2020 22:11:56 +0000 Gerrit-HasComments: Yes
