You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Yan Zhou <yz...@yahoo.com> on 2016/11/21 22:37:56 UTC
Review Request 53967: Ranger-1210: Ranger Hive Plugin does not throw
an exception when an INSERT/DELETE grant is issued from beeline
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/
-----------------------------------------------------------
Review request for ranger.
Repository: ranger
Description
-------
beeline>grant insert on test10 to user userx;
returns OK.
But actually the hive log has a warning entry:
grant/revoke: unexpected privilege type 'DELETE'. Ignored
The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
Both INSERT and DELETE should be mapped to UPDATE.
What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
Diffs
-----
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7
Diff: https://reviews.apache.org/r/53967/diff/
Testing
-------
Manual tests ok.
Thanks,
Yan Zhou
Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not
throw an exception when an INSERT/DELETE grant is issued from beeline
Posted by Yan Zhou <yz...@yahoo.com>.
> On Nov. 23, 2016, 8:55 a.m., Velmurugan Periasamy wrote:
> > Patch looks fine. Could you please update branch info and ranger bug fields?
Please let me know any more changes I need to make before this can be committed. Thanks.
- Yan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/#review156713
-----------------------------------------------------------
On Nov. 23, 2016, 7:18 p.m., Yan Zhou wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53967/
> -----------------------------------------------------------
>
> (Updated Nov. 23, 2016, 7:18 p.m.)
>
>
> Review request for ranger.
>
>
> Bugs: Ranger-1210
> https://issues.apache.org/jira/browse/Ranger-1210
>
>
> Repository: ranger
>
>
> Description
> -------
>
> beeline>grant insert on test10 to user userx;
> returns OK.
>
> But actually the hive log has a warning entry:
> grant/revoke: unexpected privilege type 'DELETE'. Ignored
> The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
> According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
> Both INSERT and DELETE should be mapped to UPDATE.
> What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
> So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7
>
> Diff: https://reviews.apache.org/r/53967/diff/
>
>
> Testing
> -------
>
> Manual tests ok.
>
>
> Thanks,
>
> Yan Zhou
>
>
Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not
throw an exception when an INSERT/DELETE grant is issued from beeline
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/#review156713
-----------------------------------------------------------
Patch looks fine. Could you please update branch info and ranger bug fields?
- Velmurugan Periasamy
On Nov. 21, 2016, 10:37 p.m., Yan Zhou wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53967/
> -----------------------------------------------------------
>
> (Updated Nov. 21, 2016, 10:37 p.m.)
>
>
> Review request for ranger.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> beeline>grant insert on test10 to user userx;
> returns OK.
>
> But actually the hive log has a warning entry:
> grant/revoke: unexpected privilege type 'DELETE'. Ignored
> The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
> According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
> Both INSERT and DELETE should be mapped to UPDATE.
> What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
> So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7
>
> Diff: https://reviews.apache.org/r/53967/diff/
>
>
> Testing
> -------
>
> Manual tests ok.
>
>
> Thanks,
>
> Yan Zhou
>
>
Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not
throw an exception when an INSERT/DELETE grant is issued from beeline
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/#review160212
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Dec. 27, 2016, 9:51 p.m., Yan Zhou wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53967/
> -----------------------------------------------------------
>
> (Updated Dec. 27, 2016, 9:51 p.m.)
>
>
> Review request for ranger.
>
>
> Bugs: Ranger-1210
> https://issues.apache.org/jira/browse/Ranger-1210
>
>
> Repository: ranger
>
>
> Description
> -------
>
> beeline>grant insert on test10 to user userx;
> returns OK.
>
> But actually the hive log has a warning entry:
> grant/revoke: unexpected privilege type 'DELETE'. Ignored
> The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
> According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
> Both INSERT and DELETE should be mapped to UPDATE.
> What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
> So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java fa1ea02
>
> Diff: https://reviews.apache.org/r/53967/diff/
>
>
> Testing
> -------
>
> Manual tests ok.
>
>
> Thanks,
>
> Yan Zhou
>
>
Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not
throw an exception when an INSERT/DELETE grant is issued from beeline
Posted by Yan Zhou <yz...@yahoo.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/
-----------------------------------------------------------
(Updated Dec. 27, 2016, 9:51 p.m.)
Review request for ranger.
Changes
-------
Instead of throwing an exception, add the UPDATE privilege mapped from INSERT/DELETE
Bugs: Ranger-1210
https://issues.apache.org/jira/browse/Ranger-1210
Repository: ranger
Description
-------
beeline>grant insert on test10 to user userx;
returns OK.
But actually the hive log has a warning entry:
grant/revoke: unexpected privilege type 'DELETE'. Ignored
The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
Both INSERT and DELETE should be mapped to UPDATE.
What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
Diffs (updated)
-----
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java fa1ea02
Diff: https://reviews.apache.org/r/53967/diff/
Testing
-------
Manual tests ok.
Thanks,
Yan Zhou
Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not
throw an exception when an INSERT/DELETE grant is issued from beeline
Posted by Madhan Neethiraj <ma...@apache.org>.
> On Dec. 27, 2016, 9:39 a.m., Ankita Sinha wrote:
> > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java, line 1186
> > <https://reviews.apache.org/r/53967/diff/1/?file=1568248#file1568248line1186>
> >
> > Can "Insert" and "Delete" be added as enum in HiveAccessType and used.
Given that "insert" and "delete" operations are mapped to "update" permission in RangerHiveAuthorizer.getAccessType(), I would suggest RangerHiveAuthorizer.createGrantRevokeData() to map them similarly.
} else if (StringUtils.equalsIgnoreCase(privName, "insert") || StringUtils.equalsIgnoreCase(privName, "delete")) {
ret.getAccessTypes().add(HiveAccessType.UPDATE.name().toLowerCase());
} else {
LOG.warn("grant/revoke: unexpected privilege type '" + privName + "'. Ignored");
}
- Madhan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/#review160143
-----------------------------------------------------------
On Nov. 23, 2016, 7:18 p.m., Yan Zhou wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53967/
> -----------------------------------------------------------
>
> (Updated Nov. 23, 2016, 7:18 p.m.)
>
>
> Review request for ranger.
>
>
> Bugs: Ranger-1210
> https://issues.apache.org/jira/browse/Ranger-1210
>
>
> Repository: ranger
>
>
> Description
> -------
>
> beeline>grant insert on test10 to user userx;
> returns OK.
>
> But actually the hive log has a warning entry:
> grant/revoke: unexpected privilege type 'DELETE'. Ignored
> The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
> According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
> Both INSERT and DELETE should be mapped to UPDATE.
> What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
> So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7
>
> Diff: https://reviews.apache.org/r/53967/diff/
>
>
> Testing
> -------
>
> Manual tests ok.
>
>
> Thanks,
>
> Yan Zhou
>
>
Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not
throw an exception when an INSERT/DELETE grant is issued from beeline
Posted by Ankita Sinha <an...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/#review160143
-----------------------------------------------------------
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java (line 1186)
<https://reviews.apache.org/r/53967/#comment231181>
Can "Insert" and "Delete" be added as enum in HiveAccessType and used.
- Ankita Sinha
On Nov. 23, 2016, 7:18 p.m., Yan Zhou wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53967/
> -----------------------------------------------------------
>
> (Updated Nov. 23, 2016, 7:18 p.m.)
>
>
> Review request for ranger.
>
>
> Bugs: Ranger-1210
> https://issues.apache.org/jira/browse/Ranger-1210
>
>
> Repository: ranger
>
>
> Description
> -------
>
> beeline>grant insert on test10 to user userx;
> returns OK.
>
> But actually the hive log has a warning entry:
> grant/revoke: unexpected privilege type 'DELETE'. Ignored
> The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
> According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
> Both INSERT and DELETE should be mapped to UPDATE.
> What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
> So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7
>
> Diff: https://reviews.apache.org/r/53967/diff/
>
>
> Testing
> -------
>
> Manual tests ok.
>
>
> Thanks,
>
> Yan Zhou
>
>
Re: Review Request 53967: Ranger-1210: Ranger Hive Plugin does not
throw an exception when an INSERT/DELETE grant is issued from beeline
Posted by Yan Zhou <yz...@yahoo.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53967/
-----------------------------------------------------------
(Updated Nov. 23, 2016, 7:18 p.m.)
Review request for ranger.
Bugs: Ranger-1210
https://issues.apache.org/jira/browse/Ranger-1210
Repository: ranger
Description
-------
beeline>grant insert on test10 to user userx;
returns OK.
But actually the hive log has a warning entry:
grant/revoke: unexpected privilege type 'DELETE'. Ignored
The policy is actually created but with no policy items. While the "UPDATE" grant properly sets up the policy item.
According to https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping
Both INSERT and DELETE should be mapped to UPDATE.
What user experiences is that the grant of INSERT/DELETE has no effect at all even the return status is good.
So we should throw an exception with an informational message about the INSERR/DELET=>UPDATE mapping.
Diffs
-----
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 92fc2e7
Diff: https://reviews.apache.org/r/53967/diff/
Testing
-------
Manual tests ok.
Thanks,
Yan Zhou