You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Stalin Nadar (Jira)" <ji...@apache.org> on 2023/05/04 13:22:00 UTC
[jira] [Assigned] (RANGER-4134) Policy Condition Enforcement is not happening if different policy condition is applied for same user in Allow policy items
[ https://issues.apache.org/jira/browse/RANGER-4134?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stalin Nadar reassigned RANGER-4134:
------------------------------------
Assignee: Stalin Nadar
> Policy Condition Enforcement is not happening if different policy condition is applied for same user in Allow policy items
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-4134
> URL: https://issues.apache.org/jira/browse/RANGER-4134
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Anupam Rai
> Assignee: Stalin Nadar
> Priority: Major
>
> Policy Condition Enforcement is not happening if different policy condition is applied for same user in Allow policy items.
> Steps to reproduce :
> Ranger default evaluator : [RangerHiveResourcesAccessedTogetherCondition|https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesAccessedTogetherCondition.java],[RangerHiveResourcesNotAccessedTogetherCondition|https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java]
> 1. Create a policy with as below policy items :
> {code:java}
> "policyItems": [
> {
> "users": [
> "XXXXXX"
> ],
> "conditions": [
> {
> "type": "not-accessed-together",
> "values": [
> "db.table.col1",
> "db.table.col2"
> ]
> }
> ],
> "accesses": [
> {
> "type": "select",
> "isAllowed": true
> }
> ]
> },
> {
> "users": [
> "XXXXX"
> ],
> "conditions": [
> {
> "type": "not-accessed-together",
> "values": [
> "db.table.col1",
> "db.table.col3"
> ]
> }
> ],
> "accesses": [
> {
> "type": "select",
> "isAllowed": true
> }
> ]
> }
> ] {code}
> 3. Now try accessing table columns on beeline as
> select col1,col2 from db.table;
> select col1,col3 from db.table;;
> Expected : User should be denied for these access able column when tried accessing together
> Actual : User is able to query accessing both column together .
> {code:java}
> 0: jdbc:hive:// select col1,col2 from b.table;
> ........
> INFO : OK
> +-------+-------+
> | col1 | col2 |
> +-------+-------+
> | anup | 30 |
> | abhi | 26 |
> | deep | 30 |
> +-------+-------+
> 3 rows selected (0.282 seconds)
> 0: jdbc:hive: select col1,col3 from db.table;
> ....
> INFO : OK
> +-------+-------+
> | col1 | col3 |
> +-------+-------+
> | anup | rang |
> | abhi | rang |
> | deep | rang |
> +-------+-------+
> 3 rows selected (0.252 seconds) {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)