[ https://issues.apache.org/jira/browse/RANGER-2664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989352#comment-16989352 ]
star edited comment on RANGER-2664 at 12/6/19 3:01 AM: ------------------------------------------------------- It only exists in ranger 1.2. ranger 2.x has fixed this bug by setting empty resource while ranger 1.2 is database="*". Difference is as following codes. {code:java} // ranger 1.2 public RangerHiveResource(HiveObjectType objectType, String databaseorUrl, String tableOrUdf, String column) { this.objectType = objectType; switch(objectType) { case DATABASE: //databaseorUrl is null when show databases if (databaseorUrl == null) { databaseorUrl = "*"; } setValue(KEY_DATABASE, databaseorUrl); break; } } {code} {code:java} // ranger 2.x public RangerHiveResource(HiveObjectType objectType, String firstLevelResource, String secondLevelResource, String thirdLevelResource) { this.objectType = objectType; switch(objectType) { case DATABASE: //firstLevelResource is null when show databases setValue(KEY_DATABASE, firstLevelResource); break; ... } }{code} As empty resource, I think following code is redundant. {code:java} // RangerHiveAuthorizer#checkPrivileges if (hiveOpType == HiveOperationType.SHOWDATABASES) { RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null); RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.USE, context, sessionContext); requests.add(request); } {code} was (Author: starphin): It only exists in ranger 1.2. ranger 2.x has fixed this bug by setting empty resource while ranger 1.2 is database="*". Difference is as following codes. {code:java} // ranger 1.2 public RangerHiveResource(HiveObjectType objectType, String databaseorUrl, String tableOrUdf, String column) { this.objectType = objectType; switch(objectType) { case DATABASE: //databaseorUrl is null when show databases if (databaseorUrl == null) { databaseorUrl = "*"; } setValue(KEY_DATABASE, databaseorUrl); break; } } {code} {code:java} // ranger 2.x public RangerHiveResource(HiveObjectType objectType, String firstLevelResource, String secondLevelResource, String thirdLevelResource) { this.objectType = objectType; switch(objectType) { case DATABASE: //firstLevelResource is null when show databases setValue(KEY_DATABASE, firstLevelResource); break; ... } } {code} > filterListCmdObjects does not work in sql 'show databases' > ---------------------------------------------------------- > > Key: RANGER-2664 > URL: https://issues.apache.org/jira/browse/RANGER-2664 > Project: Ranger > Issue Type: Bug > Components: plugins > Reporter: star > Priority: Major > Attachments: ranger-2664.patch > > > In hive plugin, when execute sql 'show databases', > privilege HiveAccessType.USE is required on database '*'. If it is > authorized USE privilege, all database will be showed. If not, the sql will > be stuck when checking privilege. > To solve the problem, just let the sql 'show databases' pass through when > METASTORE_FILTER_HOOK is set as AuthorizationMetaStoreFilterHook. Privilege > HiveAccessType.USE is not required on database '*'. -- This message was sent by Atlassian Jira (v8.3.4#803005)