You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Yan Zhou <yz...@yahoo.com> on 2016/11/21 22:37:56 UTC

Review Request 53967: Ranger-1210: Ranger Hive Plugin does not throw an exception when an INSERT/DELETE grant is issued from beeline

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/
-----------------------------------------------------------

Review request for ranger.


Repository: ranger


Description
-------

beeline>grant insert on test10 to user userx;
returns OK.

But actually the hive log has a warning entry:
grant/revoke: unexpected privilege type 'DELETE'. Ignored
The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
Both INSERT and DELETE should be mapped to UPDATE.
What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.


Diffs
-----

  hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7 

Diff: https://reviews.apache.org/r/53967/diff/


Testing
-------

Manual tests ok.


Thanks,

Yan Zhou

Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not throw an exception when an INSERT/DELETE grant is issued from beeline

Posted by Yan Zhou <yz...@yahoo.com>.


> On Nov. 23, 2016, 8:55 a.m., Velmurugan Periasamy wrote:
> > Patch looks fine. Could you please update branch info and ranger bug fields?

Please let me know any more changes I need to make before this can be committed. Thanks.


- Yan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/#review156713
-----------------------------------------------------------


On Nov. 23, 2016, 7:18 p.m., Yan Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53967/
> -----------------------------------------------------------
> 
> (Updated Nov. 23, 2016, 7:18 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: Ranger-1210
>     https://issues.apache.org/jira/browse/Ranger-1210
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> beeline>grant insert on test10 to user userx;
> returns OK.
> 
> But actually the hive log has a warning entry:
> grant/revoke: unexpected privilege type 'DELETE'. Ignored
> The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
> According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
> Both INSERT and DELETE should be mapped to UPDATE.
> What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
> So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
> 
> 
> Diffs
> -----
> 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7 
> 
> Diff: https://reviews.apache.org/r/53967/diff/
> 
> 
> Testing
> -------
> 
> Manual tests ok.
> 
> 
> Thanks,
> 
> Yan Zhou
> 
>

Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not throw an exception when an INSERT/DELETE grant is issued from beeline

Posted by Velmurugan Periasamy <vp...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/#review156713
-----------------------------------------------------------



Patch looks fine. Could you please update branch info and ranger bug fields?

- Velmurugan Periasamy


On Nov. 21, 2016, 10:37 p.m., Yan Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53967/
> -----------------------------------------------------------
> 
> (Updated Nov. 21, 2016, 10:37 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> beeline>grant insert on test10 to user userx;
> returns OK.
> 
> But actually the hive log has a warning entry:
> grant/revoke: unexpected privilege type 'DELETE'. Ignored
> The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
> According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
> Both INSERT and DELETE should be mapped to UPDATE.
> What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
> So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
> 
> 
> Diffs
> -----
> 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7 
> 
> Diff: https://reviews.apache.org/r/53967/diff/
> 
> 
> Testing
> -------
> 
> Manual tests ok.
> 
> 
> Thanks,
> 
> Yan Zhou
> 
>

Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not throw an exception when an INSERT/DELETE grant is issued from beeline

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/#review160212
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On Dec. 27, 2016, 9:51 p.m., Yan Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53967/
> -----------------------------------------------------------
> 
> (Updated Dec. 27, 2016, 9:51 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: Ranger-1210
>     https://issues.apache.org/jira/browse/Ranger-1210
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> beeline>grant insert on test10 to user userx;
> returns OK.
> 
> But actually the hive log has a warning entry:
> grant/revoke: unexpected privilege type 'DELETE'. Ignored
> The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
> According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
> Both INSERT and DELETE should be mapped to UPDATE.
> What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
> So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
> 
> 
> Diffs
> -----
> 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java fa1ea02 
> 
> Diff: https://reviews.apache.org/r/53967/diff/
> 
> 
> Testing
> -------
> 
> Manual tests ok.
> 
> 
> Thanks,
> 
> Yan Zhou
> 
>

Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not throw an exception when an INSERT/DELETE grant is issued from beeline

Posted by Yan Zhou <yz...@yahoo.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/
-----------------------------------------------------------

(Updated Dec. 27, 2016, 9:51 p.m.)


Review request for ranger.


Changes
-------

Instead of throwing an exception, add the UPDATE privilege mapped from INSERT/DELETE


Bugs: Ranger-1210
    https://issues.apache.org/jira/browse/Ranger-1210


Repository: ranger


Description
-------

beeline>grant insert on test10 to user userx;
returns OK.

But actually the hive log has a warning entry:
grant/revoke: unexpected privilege type 'DELETE'. Ignored
The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
Both INSERT and DELETE should be mapped to UPDATE.
What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.


Diffs (updated)
-----

  hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java fa1ea02 

Diff: https://reviews.apache.org/r/53967/diff/


Testing
-------

Manual tests ok.


Thanks,

Yan Zhou

Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not throw an exception when an INSERT/DELETE grant is issued from beeline

Posted by Madhan Neethiraj <ma...@apache.org>.


> On Dec. 27, 2016, 9:39 a.m., Ankita Sinha wrote:
> > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java, line 1186
> > <https://reviews.apache.org/r/53967/diff/1/?file=1568248#file1568248line1186>
> >
> >     Can "Insert" and "Delete" be added as enum in HiveAccessType and used.

Given that "insert" and "delete" operations are mapped to "update" permission in RangerHiveAuthorizer.getAccessType(), I would suggest  RangerHiveAuthorizer.createGrantRevokeData() to map them similarly.

            } else if (StringUtils.equalsIgnoreCase(privName, "insert") || StringUtils.equalsIgnoreCase(privName, "delete")) {
                ret.getAccessTypes().add(HiveAccessType.UPDATE.name().toLowerCase());
            } else {
                LOG.warn("grant/revoke: unexpected privilege type '" + privName + "'. Ignored");
            }


- Madhan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/#review160143
-----------------------------------------------------------


On Nov. 23, 2016, 7:18 p.m., Yan Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53967/
> -----------------------------------------------------------
> 
> (Updated Nov. 23, 2016, 7:18 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: Ranger-1210
>     https://issues.apache.org/jira/browse/Ranger-1210
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> beeline>grant insert on test10 to user userx;
> returns OK.
> 
> But actually the hive log has a warning entry:
> grant/revoke: unexpected privilege type 'DELETE'. Ignored
> The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
> According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
> Both INSERT and DELETE should be mapped to UPDATE.
> What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
> So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
> 
> 
> Diffs
> -----
> 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7 
> 
> Diff: https://reviews.apache.org/r/53967/diff/
> 
> 
> Testing
> -------
> 
> Manual tests ok.
> 
> 
> Thanks,
> 
> Yan Zhou
> 
>

Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not throw an exception when an INSERT/DELETE grant is issued from beeline

Posted by Ankita Sinha <an...@freestoneinfotech.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/#review160143
-----------------------------------------------------------




hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java (line 1186)
<https://reviews.apache.org/r/53967/#comment231181>

    Can "Insert" and "Delete" be added as enum in HiveAccessType and used.


- Ankita Sinha


On Nov. 23, 2016, 7:18 p.m., Yan Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53967/
> -----------------------------------------------------------
> 
> (Updated Nov. 23, 2016, 7:18 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: Ranger-1210
>     https://issues.apache.org/jira/browse/Ranger-1210
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> beeline>grant insert on test10 to user userx;
> returns OK.
> 
> But actually the hive log has a warning entry:
> grant/revoke: unexpected privilege type 'DELETE'. Ignored
> The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
> According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
> Both INSERT and DELETE should be mapped to UPDATE.
> What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
> So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
> 
> 
> Diffs
> -----
> 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7 
> 
> Diff: https://reviews.apache.org/r/53967/diff/
> 
> 
> Testing
> -------
> 
> Manual tests ok.
> 
> 
> Thanks,
> 
> Yan Zhou
> 
>

Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not throw an exception when an INSERT/DELETE grant is issued from beeline

Posted by Yan Zhou <yz...@yahoo.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/
-----------------------------------------------------------

(Updated Nov. 23, 2016, 7:18 p.m.)


Review request for ranger.


Bugs: Ranger-1210
    https://issues.apache.org/jira/browse/Ranger-1210


Repository: ranger


Description
-------

beeline>grant insert on test10 to user userx;
returns OK.

But actually the hive log has a warning entry:
grant/revoke: unexpected privilege type 'DELETE'. Ignored
The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
Both INSERT and DELETE should be mapped to UPDATE.
What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.


Diffs
-----

  hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7 

Diff: https://reviews.apache.org/r/53967/diff/


Testing
-------

Manual tests ok.


Thanks,

Yan Zhou