You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Stalin Nadar (Jira)" <ji...@apache.org> on 2023/05/04 13:22:00 UTC

[jira] [Assigned] (RANGER-4134) Policy Condition Enforcement is not happening if different policy condition is applied for same user in Allow policy items

     [ https://issues.apache.org/jira/browse/RANGER-4134?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stalin Nadar reassigned RANGER-4134:
------------------------------------

    Assignee: Stalin Nadar

> Policy Condition Enforcement is not happening if different policy condition is applied for same user in Allow policy items
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-4134
>                 URL: https://issues.apache.org/jira/browse/RANGER-4134
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Anupam Rai
>            Assignee: Stalin Nadar
>            Priority: Major
>
> Policy Condition Enforcement is not happening if different policy condition is applied for same user in Allow policy items.
> Steps to reproduce :
> Ranger default evaluator : [RangerHiveResourcesAccessedTogetherCondition|https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesAccessedTogetherCondition.java],[RangerHiveResourcesNotAccessedTogetherCondition|https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java]
> 1. Create a policy with as below policy items :
> {code:java}
> "policyItems": [
>   {
>     "users": [
>       "XXXXXX"
>     ],
>     "conditions": [
>       {
>         "type": "not-accessed-together",
>         "values": [
>           "db.table.col1",
>           "db.table.col2"
>         ]
>       }
>     ],
>     "accesses": [
>       {
>         "type": "select",
>         "isAllowed": true
>       }
>     ]
>   },
>   {
>     "users": [
>       "XXXXX"
>     ],
>     "conditions": [
>       {
>         "type": "not-accessed-together",
>         "values": [
>           "db.table.col1",
>           "db.table.col3"
>         ]
>       }
>     ],
>     "accesses": [
>       {
>         "type": "select",
>         "isAllowed": true
>       }
>     ]
>   }
> ] {code}
> 3. Now try accessing table columns on beeline as 
> select col1,col2 from db.table;
> select col1,col3 from db.table;;
> Expected : User should be denied for these access able column when tried accessing together 
> Actual : User is able to query accessing both column together .
> {code:java}
> 0: jdbc:hive:// select col1,col2 from b.table;
> ........
> INFO  : OK
> +-------+-------+
> | col1  | col2  |
> +-------+-------+
> | anup  | 30    |
> | abhi  | 26    |
> | deep  | 30    |
> +-------+-------+
> 3 rows selected (0.282 seconds)
> 0: jdbc:hive: select col1,col3 from db.table;
> ....
> INFO  : OK
> +-------+-------+
> | col1  | col3  |
> +-------+-------+
> | anup  | rang  |
> | abhi  | rang  |
> | deep  | rang  |
> +-------+-------+
> 3 rows selected (0.252 seconds) {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)