You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Qiang Zhang (JIRA)" <ji...@apache.org> on 2017/07/25 12:38:00 UTC
[jira] [Updated] (RANGER-1712) Hive table was not inserted data
after user created Hive Masking policy.
[ https://issues.apache.org/jira/browse/RANGER-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Qiang Zhang updated RANGER-1712:
--------------------------------
Description:
The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
segment 1:
if (isDataMaskEnabled(dataMaskResult)) {
if(result == null) {
result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request);
}
result.setIsAllowed(false); //set false
result.setPolicyId(dataMaskResult.getPolicyId());
result.setReason("User does not have acces to unmasked column values");
}
segment 2:
if(result == null || !result.getIsAllowed()) { //result.getIsAllowed() must equal to false. So the logic is error. The program logic will always go to the following code segment.
String path = resource.getAsString();
path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType);
throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]",
user, request.getHiveAccessType().name(), path));
}
The error reason is as following:
The result.setIsAllowed(false) was call in segment 1. So The result.getIsAllowed() must equal to false. This is a error.
1.Scenarios
create database cust;
use cust;
create table customer(id int,name_first string,name_last string,addr_country string, data_of_birth date, phone_num string)ROW FORMAT DELIMITED
FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;
insert into customer values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');
Result:insert sucess
1):First create hive Access policy users:mr have acess to all privilege to database(cust) and table(customer) and columns(*); (see Acess.png in detail)
insert into customer values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
Result:insert sucess
2)Second create Masking policy on cust.customer.name_first (see Masking.png in detail)
insert into customer values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
Result: Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [glc] does not have [UPDATE] privilege on [cust/customer] (state=42000,code=40000)
3.Solution:
Modify RangerHiveAuthorizer.java
change from "result.setIsAllowed(false);
result.setPolicyId(dataMaskResult.getPolicyId());
result.setReason("User does not have acces to unmasked column values");"
to
"result.setIsAllowed(dataMaskResult.getIsAllowed());
result.setPolicyId(dataMaskResult.getPolicyId());
if(!dataMaskResult.getIsAllowed()){
result.setReason("User does not have acces to unmasked column values");
}"
was:
The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
segment 1:
if (isDataMaskEnabled(dataMaskResult)) {
if(result == null) {
result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request);
}
result.setIsAllowed(false); //set false
result.setPolicyId(dataMaskResult.getPolicyId());
result.setReason("User does not have acces to unmasked column values");
}
segment 2:
if(result == null || !result.getIsAllowed()) { //result.getIsAllowed() must equal to false. So the logic is error.
String path = resource.getAsString();
path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType);
throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]",
user, request.getHiveAccessType().name(), path));
}
The error reason is as following:
The result.setIsAllowed(false) was call in segment 1. So The result.getIsAllowed() must equal to false. This is a error.
1.Scenarios
create database cust;
use cust;
create table customer(id int,name_first string,name_last string,addr_country string, data_of_birth date, phone_num string)ROW FORMAT DELIMITED
FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;
insert into customer values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');
Result:insert sucess
1):First create hive Access policy users:mr have acess to all privilege to database(cust) and table(customer) and columns(*); (see Acess.png in detail)
insert into customer values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
Result:insert sucess
2)Second create Masking policy on cust.customer.name_first (see Masking.png in detail)
insert into customer values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
Result: Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [glc] does not have [UPDATE] privilege on [cust/customer] (state=42000,code=40000)
3.Solution:
Modify RangerHiveAuthorizer.java
change from "result.setIsAllowed(false);
result.setPolicyId(dataMaskResult.getPolicyId());
result.setReason("User does not have acces to unmasked column values");"
to
"result.setIsAllowed(dataMaskResult.getIsAllowed());
result.setPolicyId(dataMaskResult.getPolicyId());
if(!dataMaskResult.getIsAllowed()){
result.setReason("User does not have acces to unmasked column values");
}"
> Hive table was not inserted data after user created Hive Masking policy.
> ------------------------------------------------------------------------
>
> Key: RANGER-1712
> URL: https://issues.apache.org/jira/browse/RANGER-1712
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Qiang Zhang
> Assignee: Qiang Zhang
> Priority: Critical
> Labels: patch
>
> The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
> segment 1:
> if (isDataMaskEnabled(dataMaskResult)) {
> if(result == null) {
> result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request);
> }
>
> result.setIsAllowed(false); //set false
> result.setPolicyId(dataMaskResult.getPolicyId());
> result.setReason("User does not have acces to unmasked column values");
> }
> segment 2:
> if(result == null || !result.getIsAllowed()) { //result.getIsAllowed() must equal to false. So the logic is error. The program logic will always go to the following code segment.
> String path = resource.getAsString();
> path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType);
> throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]",
> user, request.getHiveAccessType().name(), path));
> }
> The error reason is as following:
> The result.setIsAllowed(false) was call in segment 1. So The result.getIsAllowed() must equal to false. This is a error.
> 1.Scenarios
> create database cust;
> use cust;
> create table customer(id int,name_first string,name_last string,addr_country string, data_of_birth date, phone_num string)ROW FORMAT DELIMITED
> FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;
> insert into customer values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');
> Result:insert sucess
> 1):First create hive Access policy users:mr have acess to all privilege to database(cust) and table(customer) and columns(*); (see Acess.png in detail)
>
> insert into customer values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
>
> Result:insert sucess
>
> 2)Second create Masking policy on cust.customer.name_first (see Masking.png in detail)
> insert into customer values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
> Result: Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [glc] does not have [UPDATE] privilege on [cust/customer] (state=42000,code=40000)
>
> 3.Solution:
> Modify RangerHiveAuthorizer.java
> change from "result.setIsAllowed(false);
> result.setPolicyId(dataMaskResult.getPolicyId());
> result.setReason("User does not have acces to unmasked column values");"
> to
> "result.setIsAllowed(dataMaskResult.getIsAllowed());
> result.setPolicyId(dataMaskResult.getPolicyId());
> if(!dataMaskResult.getIsAllowed()){
> result.setReason("User does not have acces to unmasked column values");
> }"
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)