You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Tarek Abouzeid (Jira)" <ji...@apache.org> on 2022/02/14 09:34:00 UTC

[jira] [Commented] (RANGER-3142) Access control based on groups not working for presto plugin

    [ https://issues.apache.org/jira/browse/RANGER-3142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17491889#comment-17491889 ] 

Tarek Abouzeid commented on RANGER-3142:
----------------------------------------

Hi,

 

This wont be solved from Apache Ranger, this requires Trino/Presto Group provider plugin, which fetches the associated LDAP groups with particular LDAP user.

You can check this from the developers documentation. [Group provider — Trino 370 Documentation|https://trino.io/docs/current/develop/group-provider.html]

We have used this project [arghya18/trino-group-provider-ldap-ad: Trino Group Provider LDAP is a Trino (formerly Presto SQL) plugin to map user names to groups using an LDAP server (github.com)|https://github.com/arghya18/trino-group-provider-ldap-ad] for the group provider plugin.

 

Best Regards, 

> Access control based on groups not working for presto plugin 
> -------------------------------------------------------------
>
>                 Key: RANGER-3142
>                 URL: https://issues.apache.org/jira/browse/RANGER-3142
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.1.0
>         Environment: ranger-2.1.0-presto-plugin.tar.gz
> presto-server-347.tar.gz
>            Reporter: Anchal Agarwal
>            Priority: Major
>         Attachments: image-2021-01-29-19-53-59-145.png, image-2021-01-29-19-54-02-248.png, image-2021-01-29-19-54-28-329.png, image-2021-01-29-19-54-50-303.png, image-2021-01-29-19-55-01-685.png, image-2021-01-29-19-59-42-929.png, image-2021-01-29-20-00-54-796.png
>
>
> I'm using ranger-2.1.0 for access control in prestosql-347.
> A policy with user list in 'allow conditions' works i.e. if I connect to presto with a user in the allowed list, my query returns the expected results.
> But instead of users, if I use group in the policy and try accessing presto with a user belonging to that group, then I'm denied access.
> {code:java}
> %presto
> show tables in default
> Query failed (#20210106_032741_00000_dddsy): Access Denied: Cannot access catalog hive
> {code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)