[
https://issues.apache.org/jira/browse/RANGER-4683?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pradeep Agrawal updated RANGER-4683:
------------------------------------
Labels: Trino (was: )
> Trino Schema Creation Permission
> --------------------------------
>
> Key: RANGER-4683
> URL: https://issues.apache.org/jira/browse/RANGER-4683
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Semetey Coskun
> Priority: Major
> Labels: Trino
>
> Hi,
> I'm running Trino in docker (trinodb/trino:423) and this environment is
> integrated to Apache Ranger (2.4.0) for authz policies. Every permissions
> seem OK but "Create Schema" in a catalog. I've tried various configurations;
> specifying catalog names with "*" or exact name of the catalog which I'm
> trying to create schema in it but every time same error.
>
> {{io.cloudbeaver.DBWebException: Error executing query: SQL Error [4]: Query
> failed (#20240129_203356_00589_c9776): Access Denied: Cannot create schema
> delta.trino_poc at
> io.cloudbeaver.service.sql.WebSQLProcessor.processQuery(WebSQLProcessor.java:264)
> at
> io.cloudbeaver.service.sql.impl.WebServiceSQL$1.run(WebServiceSQL.java:377)
> at io.cloudbeaver.model.session.WebSession$1.run(WebSession.java:692) at
> org.jkiss.dbeaver.model.runtime.AbstractJob.run(AbstractJob.java:105) at
> org.eclipse.core.internal.jobs.Worker.run(Worker.java:63) Caused by:
> org.jkiss.dbeaver.model.sql.DBSQLException: SQL Error [4]: Query failed
> (#20240129_203356_00589_c9776): Access Denied: Cannot create schema
> delta.trino_poc at
> org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.executeStatement(JDBCStatementImpl.java:133)
> at
> io.cloudbeaver.service.sql.WebSQLProcessor.lambda$1(WebSQLProcessor.java:250)
> at
> org.jkiss.dbeaver.model.exec.DBExecUtils.tryExecuteRecover(DBExecUtils.java:190)
> at
> io.cloudbeaver.service.sql.WebSQLProcessor.processQuery(WebSQLProcessor.java:207)
> ... 4 more Caused by: java.sql.SQLException: Query failed
> (#20240129_203356_00589_c9776): Access Denied: Cannot create schema
> delta.trino_poc at
> io.trino.jdbc.AbstractTrinoResultSet.resultsException(AbstractTrinoResultSet.java:1937)
> at io.trino.jdbc.TrinoResultSet.getColumns(TrinoResultSet.java:318) at
> io.trino.jdbc.TrinoResultSet.create(TrinoResultSet.java:61) at
> io.trino.jdbc.TrinoStatement.internalExecute(TrinoStatement.java:262) at
> io.trino.jdbc.TrinoStatement.execute(TrinoStatement.java:240) at
> org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.execute(JDBCStatementImpl.java:330)
> at
> org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.executeStatement(JDBCStatementImpl.java:131)
> ... 7 more Caused by: io.trino.spi.security.AccessDeniedException: Access
> Denied: Cannot create schema delta.trino_poc at
> io.trino.spi.security.AccessDeniedException.denyCreateSchema(AccessDeniedException.java:150)
> at
> io.trino.spi.security.AccessDeniedException.denyCreateSchema(AccessDeniedException.java:145)
> at
> io.trino.spi.security.SystemAccessControl.checkCanCreateSchema(SystemAccessControl.java:286)
> at
> io.trino.security.AccessControlManager.lambda$checkCanCreateSchema$11(AccessControlManager.java:340)
> at
> io.trino.security.AccessControlManager.systemAuthorizationCheck(AccessControlManager.java:1363)
> at
> io.trino.security.AccessControlManager.checkCanCreateSchema(AccessControlManager.java:340)
> at
> io.trino.security.ForwardingAccessControl.checkCanCreateSchema(ForwardingAccessControl.java:125)
> at
> io.trino.tracing.TracingAccessControl.checkCanCreateSchema(TracingAccessControl.java:166)
> at
> io.trino.execution.CreateSchemaTask.internalExecute(CreateSchemaTask.java:117)
> at io.trino.execution.CreateSchemaTask.execute(CreateSchemaTask.java:82) at
> io.trino.execution.CreateSchemaTask.execute(CreateSchemaTask.java:54) at
> io.trino.execution.DataDefinitionExecution.start(DataDefinitionExecution.java:145)
> at io.trino.execution.SqlQueryManager.createQuery(SqlQueryManager.java:256)
> at
> io.trino.dispatcher.LocalDispatchQuery.startExecution(LocalDispatchQuery.java:145)
> at
> io.trino.dispatcher.LocalDispatchQuery.lambda$waitForMinimumWorkers$2(LocalDispatchQuery.java:129)
> at
> io.airlift.concurrent.MoreFutures.lambda$addSuccessCallback$12(MoreFutures.java:568)
> at io.airlift.concurrent.MoreFutures$3.onSuccess(MoreFutures.java:543) at
> com.google.common.util.concurrent.Futures$CallbackListener.run(Futures.java:1133)
> at io.trino.$gen.Trino_423____20240129_094308_2.run(Unknown Source) at
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
> at java.base/java.lang.Thread.run(Thread.java:833)}}
>
> {{When I grep the coordinator logs the only policy id I can see in the logs
> is 27;}}
>
> 2024-01-29T20:02:57.087Z INFO Query-20240129_200257_00416_c9776-2066 stdout
> 20:02:57.087 [Query-20240129_200257_00416_c9776-2066] DEBUG
> org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator - ==>
> RangerDefaultPolicyEvaluator.evaluate(policyId=27,
> RangerAccessRequestImpl=\{resource={RangerResourceImpl={ownerUser={null}
> elements=\{catalog=delta; } }} accessType=\{use} user=\{005269}
> userGroups=\{MY USER GROUP LIST } userRoles={} accessTime=\{Mon Jan 29
> 20:02:57 UTC 2024} clientIPAddress=\{null} forwardedAddresses={}
> remoteIPAddress=\{null} clientType=\{null} action=\{null} requestData=\{null}
> sessionId=\{null} resourceMatchingScope=\{SELF} clusterName={} clusterType={}
> context=\{token:USER={005269} } },
> RangerAccessResult=\{isAccessDetermined={false} isAllowed=\{false}
> isAuditedDetermined=\{false} isAudited=\{false} auditLogId=\{null}
> policyType=\{0} policyId=\{-1} zoneName=\{null} auditPolicyId=\{-1}
> policyVersion=\{null} evaluatedPoliciesCount=\{1} reason=\{null}
> additionalInfo={}})
>
> Policy ID 27 is the default "all - catalog, schema, table, column"
> configuration:
>
> !https://private-user-images.githubusercontent.com/1835976/300598323-d3c802a8-a8e5-48aa-ad14-64f0bb3fa8cc.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDY2ODExOTMsIm5iZiI6MTcwNjY4MDg5MywicGF0aCI6Ii8xODM1OTc2LzMwMDU5ODMyMy1kM2M4MDJhOC1hOGU1LTQ4YWEtYWQxNC02NGYwYmIzZmE4Y2MucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDEzMSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDAxMzFUMDYwMTMzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9NDkxNzU2MmY5MmQwNmY5YmQ4MDM3YzI3OTg2MDc2NzQ4ZGI5NGMxMjhiZDNiM2JmYWJjOTQwZGZkODA2ZmRhZSZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.vPiKcbzEz4z9lg-mxOJLQNdMaW5VxB5b4SAuegGlGwk!
> !https://private-user-images.githubusercontent.com/1835976/300598455-dd5dd6b1-9f34-444f-a66d-b04cf4874c8e.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDY2ODExOTMsIm5iZiI6MTcwNjY4MDg5MywicGF0aCI6Ii8xODM1OTc2LzMwMDU5ODQ1NS1kZDVkZDZiMS05ZjM0LTQ0NGYtYTY2ZC1iMDRjZjQ4NzRjOGUucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDEzMSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDAxMzFUMDYwMTMzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9NGYxMDcxMDhhZWMwZDhiYjVkMmZkNzIxYWMwMGJmZDMwYTc5ZTA3MjViMGRjMGY4NTU5NjYyY2E3MWYxZGQyOCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.75LoXJsRRMJ1sRoVWJLeYs_-ssZxMfk0Mx-R7tWvB-0!
>
> Is there any point that I'm missing?
> Thank you,
> Kind Regards.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
