You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Ramesh Mani <rm...@hortonworks.com> on 2019/08/16 01:24:09 UTC
Review Request 71296: RANGER-2536: Ranger Hive authorizer enhancement
to enable Hive policies based on resource owners
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71296/
-----------------------------------------------------------
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, Thejas Nair, and Velmurugan Periasamy.
Bugs: RANGER-2536
https://issues.apache.org/jira/browse/RANGER-2536
Repository: ranger
Description
-------
RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based on resource owners
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java 2795906
agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json 7408cbc
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java d1e0c23
agents-common/src/test/resources/policyengine/test_policyengine_hive_default_policies.json PRE-CREATION
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 7c3e3ab
pom.xml 13d5a5b
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java af74daf
Diff: https://reviews.apache.org/r/71296/diff/1/
Testing
-------
USED default policies:
"policies":[
{"id":1,"name":"database=*,table=*,column=* - audit-all-access","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
]
}
,
{"id":2,"name":"database=* - allow anyone to create database; grant owner all access ","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"create","isAllowed":true}],"groups":["public"],"delegateAdmin":false},
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
]
},
{"id":3,"name":"database=*,table=* - allow owner all access to table","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
]
},
{"id":4,"name":"database=*;table=*;column=* - allow owner all access to column","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
]
}
],
TEST DONE:
AS user ranger:
create database rangerdb; => should pass ( because of public create policy)
create table ranger_table (id int, name string); => should fail as not owner for rangerdb;
select * from ranger_table;
AS user impala:
use rangerdb; => should pass ( because of public create policy)
create table impala_table(id int, name string) => should fail as not owner for rangerdb;
create database impaladb;
use impaladb;
create table impala_table(id int, name string) => should pass as a owner
give select access for rangerdb / table * for impala user
use imapaladb;
create view test1_v as select * from ranger1.test1; => should pass as a owner
select * from test1_v => should pass as owner
remove the policy for impala user for rangerdb / table *
use imapaladb;
create view test1_v as select * from ranger1.test1; => should fail as impala user don’t have select access to table ranger1.test1.
AS user ranger:
use impaladb;
select * from test1_v => should fail as impala is the owner.
use rangerdb;
drop able ranger_table => should pass as owner.
create database / udf policy for owner.
CREATE temporary function aes_encrypt_custom1 AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFAesEncrypt' USING JAR 'hdfs:///apps/hive/share/udfs/hive-exec-3.1.0.3.0.0.0-1634.jar';
=> should pass as OWNER
create table impala_t1(id int, name string);
insert into table impala_t1 values (1,'SAM’);
=> this should pass for OWNER.
Thanks,
Ramesh Mani
Re: Review Request 71296: RANGER-2536: Ranger Hive authorizer
enhancement to enable Hive policies based on resource owners
Posted by Ramesh Mani <rm...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71296/
-----------------------------------------------------------
(Updated Aug. 16, 2019, 6:10 a.m.)
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, Thejas Nair, and Velmurugan Periasamy.
Changes
-------
RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based on resource owners
Bugs: RANGER-2536
https://issues.apache.org/jira/browse/RANGER-2536
Repository: ranger
Description
-------
RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based on resource owners
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java 2795906
agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json 7408cbc
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java d1e0c23
agents-common/src/test/resources/policyengine/test_policyengine_hive_default_policies.json PRE-CREATION
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 7c3e3ab
pom.xml 13d5a5b
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java af74daf
Diff: https://reviews.apache.org/r/71296/diff/2/
Changes: https://reviews.apache.org/r/71296/diff/1-2/
Testing
-------
USED default policies:
"policies":[
{"id":1,"name":"database=*,table=*,column=* - audit-all-access","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
]
}
,
{"id":2,"name":"database=* - allow anyone to create database; grant owner all access ","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"create","isAllowed":true}],"groups":["public"],"delegateAdmin":false},
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
]
},
{"id":3,"name":"database=*,table=* - allow owner all access to table","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
]
},
{"id":4,"name":"database=*;table=*;column=* - allow owner all access to column","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
]
}
],
TEST DONE:
AS user ranger:
create database rangerdb; => should pass ( because of public create policy)
create table ranger_table (id int, name string); => should fail as not owner for rangerdb;
select * from ranger_table;
AS user impala:
use rangerdb; => should pass ( because of public create policy)
create table impala_table(id int, name string) => should fail as not owner for rangerdb;
create database impaladb;
use impaladb;
create table impala_table(id int, name string) => should pass as a owner
give select access for rangerdb / table * for impala user
use imapaladb;
create view test1_v as select * from ranger1.test1; => should pass as a owner
select * from test1_v => should pass as owner
remove the policy for impala user for rangerdb / table *
use imapaladb;
create view test1_v as select * from ranger1.test1; => should fail as impala user don’t have select access to table ranger1.test1.
AS user ranger:
use impaladb;
select * from test1_v => should fail as impala is the owner.
use rangerdb;
drop able ranger_table => should pass as owner.
create database / udf policy for owner.
CREATE temporary function aes_encrypt_custom1 AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFAesEncrypt' USING JAR 'hdfs:///apps/hive/share/udfs/hive-exec-3.1.0.3.0.0.0-1634.jar';
=> should pass as OWNER
create table impala_t1(id int, name string);
insert into table impala_t1 values (1,'SAM’);
=> this should pass for OWNER.
Thanks,
Ramesh Mani
Re: Review Request 71296: RANGER-2536: Ranger Hive authorizer
enhancement to enable Hive policies based on resource owners
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71296/#review217234
-----------------------------------------------------------
Fix it, then Ship it!
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 1256 (patched)
<https://reviews.apache.org/r/71296/#comment304513>
inputs/outputs could be null (see line #502 #542 above. Please review and update to handle this condition.
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 1258 (patched)
<https://reviews.apache.org/r/71296/#comment304514>
Consider replacing equals() with equalsIgnoreCase() - in line #1258 and #1265.
- Madhan Neethiraj
On Aug. 16, 2019, 1:24 a.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71296/
> -----------------------------------------------------------
>
> (Updated Aug. 16, 2019, 1:24 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, Thejas Nair, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2536
> https://issues.apache.org/jira/browse/RANGER-2536
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2536: Ranger Hive authorizer enhancement to enable Hive policies based on resource owners
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java 2795906
> agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json 7408cbc
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java d1e0c23
> agents-common/src/test/resources/policyengine/test_policyengine_hive_default_policies.json PRE-CREATION
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 7c3e3ab
> pom.xml 13d5a5b
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java af74daf
>
>
> Diff: https://reviews.apache.org/r/71296/diff/1/
>
>
> Testing
> -------
>
> USED default policies:
> "policies":[
> {"id":1,"name":"database=*,table=*,column=* - audit-all-access","isEnabled":true,"isAuditEnabled":true,
> "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
> "policyItems":[
> {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
> ]
> }
> ,
> {"id":2,"name":"database=* - allow anyone to create database; grant owner all access ","isEnabled":true,"isAuditEnabled":true,
> "resources":{"database":{"values":["*"]}},
> "policyItems":[
> {"accesses":[{"type":"create","isAllowed":true}],"groups":["public"],"delegateAdmin":false},
> {"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
> ]
> },
> {"id":3,"name":"database=*,table=* - allow owner all access to table","isEnabled":true,"isAuditEnabled":true,
> "resources":{"database":{"values":["*"]},"table":{"values":["*"]}},
> "policyItems":[
> {"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
> ]
> },
> {"id":4,"name":"database=*;table=*;column=* - allow owner all access to column","isEnabled":true,"isAuditEnabled":true,
> "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
> "policyItems":[
> {"accesses":[{"type":"all","isAllowed":true}],"users":["{OWNER}"],"delegateAdmin":false}
> ]
> }
> ],
>
> TEST DONE:
>
> AS user ranger:
>
> create database rangerdb; => should pass ( because of public create policy)
> create table ranger_table (id int, name string); => should fail as not owner for rangerdb;
> select * from ranger_table;
>
> AS user impala:
>
> use rangerdb; => should pass ( because of public create policy)
> create table impala_table(id int, name string) => should fail as not owner for rangerdb;
>
> create database impaladb;
> use impaladb;
> create table impala_table(id int, name string) => should pass as a owner
>
> give select access for rangerdb / table * for impala user
> use imapaladb;
> create view test1_v as select * from ranger1.test1; => should pass as a owner
> select * from test1_v => should pass as owner
>
> remove the policy for impala user for rangerdb / table *
> use imapaladb;
> create view test1_v as select * from ranger1.test1; => should fail as impala user don’t have select access to table ranger1.test1.
>
> AS user ranger:
>
> use impaladb;
> select * from test1_v => should fail as impala is the owner.
>
> use rangerdb;
> drop able ranger_table => should pass as owner.
>
> create database / udf policy for owner.
>
> CREATE temporary function aes_encrypt_custom1 AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFAesEncrypt' USING JAR 'hdfs:///apps/hive/share/udfs/hive-exec-3.1.0.3.0.0.0-1634.jar';
>
> => should pass as OWNER
>
> create table impala_t1(id int, name string);
> insert into table impala_t1 values (1,'SAM’);
> => this should pass for OWNER.
>
>
> Thanks,
>
> Ramesh Mani
>
>