You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Jiayi Liu <li...@gmail.com> on 2020/01/30 12:45:29 UTC

Review Request 72061: RANGER-2716: Add catalogs/schemas/tables filter in presto plugin

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72061/
-----------------------------------------------------------

Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Zsombor Gegesy.


Bugs: RANGER-2716
    https://issues.apache.org/jira/browse/RANGER-2716


Repository: ranger


Description
-------

Presto plugin returns the input set of catalogs/schemas/tables directly at present. However, this causes a problem, that is, when the user uses show catalogs/schemas/tables, all catalogs/schemas/tables are displayed, even though the user does not have the permissions to display all catalogs/schemas/tables.

We need to fix the filterCatalogs/Schemas/Tables functions to filter catalogs/schemas/tables, so that the user can only see the catalogs/schemas/tables in which the user has SELECT permission.


Diffs
-----

  plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java 3ab63f590 
  ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java e89f646e1 


Diff: https://reviews.apache.org/r/72061/diff/1/


Testing
-------

show catalogs/schemas/tables only display the catalogs/schemas/tables in which the user has SELECT permission.


Thanks,

Jiayi Liu

Re: Review Request 72061: RANGER-2716: Add catalogs/schemas/tables filter in presto plugin

Posted by Jiayi Liu <li...@gmail.com>.


> On 四月 10, 2020, 6:38 a.m., Madhan Neethiraj wrote:
> > ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
> > Line 106 (original), 106 (patched)
> > <https://reviews.apache.org/r/72061/diff/1/?file=2210036#file2210036line106>
> >
> >     deactivatePluginClassLoader() should be called before the shim method returns - as shown below:
> >     
> >       try {
> >         activatePluginClassLoader();
> >         
> >         return systemAccessControlImpl.filterCatalogs(identity, catalogs);
> >       } finally {
> >         deactivatePluginClassLoader();
> >       }
> >     
> >     Please review and update other methods as well (#167,#229).

OK, I will fix this.


- Jiayi


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72061/#review220277
-----------------------------------------------------------


On 四月 23, 2020, 3:23 a.m., Jiayi Liu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72061/
> -----------------------------------------------------------
> 
> (Updated 四月 23, 2020, 3:23 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Zsombor Gegesy.
> 
> 
> Bugs: RANGER-2716
>     https://issues.apache.org/jira/browse/RANGER-2716
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Presto plugin returns the input set of catalogs/schemas/tables directly at present. However, this causes a problem, that is, when the user uses show catalogs/schemas/tables, all catalogs/schemas/tables are displayed, even though the user does not have the permissions to display all catalogs/schemas/tables.
> 
> We need to fix the filterCatalogs/Schemas/Tables functions to filter catalogs/schemas/tables, so that the user can only see the catalogs/schemas/tables in which the user has SELECT permission.
> 
> 
> Diffs
> -----
> 
>   plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java 3ab63f590 
>   ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java e89f646e1 
> 
> 
> Diff: https://reviews.apache.org/r/72061/diff/2/
> 
> 
> Testing
> -------
> 
> show catalogs/schemas/tables only display the catalogs/schemas/tables in which the user has SELECT permission.
> 
> 
> Thanks,
> 
> Jiayi Liu
> 
>

Re: Review Request 72061: RANGER-2716: Add catalogs/schemas/tables filter in presto plugin

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72061/#review220277
-----------------------------------------------------------




ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
Line 106 (original), 106 (patched)
<https://reviews.apache.org/r/72061/#comment308612>

    deactivatePluginClassLoader() should be called before the shim method returns - as shown below:
    
      try {
        activatePluginClassLoader();
        
        return systemAccessControlImpl.filterCatalogs(identity, catalogs);
      } finally {
        deactivatePluginClassLoader();
      }
    
    Please review and update other methods as well (#167,#229).


- Madhan Neethiraj


On Jan. 30, 2020, 12:45 p.m., Jiayi Liu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72061/
> -----------------------------------------------------------
> 
> (Updated Jan. 30, 2020, 12:45 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Zsombor Gegesy.
> 
> 
> Bugs: RANGER-2716
>     https://issues.apache.org/jira/browse/RANGER-2716
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Presto plugin returns the input set of catalogs/schemas/tables directly at present. However, this causes a problem, that is, when the user uses show catalogs/schemas/tables, all catalogs/schemas/tables are displayed, even though the user does not have the permissions to display all catalogs/schemas/tables.
> 
> We need to fix the filterCatalogs/Schemas/Tables functions to filter catalogs/schemas/tables, so that the user can only see the catalogs/schemas/tables in which the user has SELECT permission.
> 
> 
> Diffs
> -----
> 
>   plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java 3ab63f590 
>   ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java e89f646e1 
> 
> 
> Diff: https://reviews.apache.org/r/72061/diff/1/
> 
> 
> Testing
> -------
> 
> show catalogs/schemas/tables only display the catalogs/schemas/tables in which the user has SELECT permission.
> 
> 
> Thanks,
> 
> Jiayi Liu
> 
>

Re: Review Request 72061: RANGER-2716: Add catalogs/schemas/tables filter in presto plugin

Posted by Jiayi Liu <li...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72061/
-----------------------------------------------------------

(Updated 四月 23, 2020, 3:23 a.m.)


Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Zsombor Gegesy.


Bugs: RANGER-2716
    https://issues.apache.org/jira/browse/RANGER-2716


Repository: ranger


Description
-------

Presto plugin returns the input set of catalogs/schemas/tables directly at present. However, this causes a problem, that is, when the user uses show catalogs/schemas/tables, all catalogs/schemas/tables are displayed, even though the user does not have the permissions to display all catalogs/schemas/tables.

We need to fix the filterCatalogs/Schemas/Tables functions to filter catalogs/schemas/tables, so that the user can only see the catalogs/schemas/tables in which the user has SELECT permission.


Diffs (updated)
-----

  plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java 3ab63f590 
  ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java e89f646e1 


Diff: https://reviews.apache.org/r/72061/diff/2/

Changes: https://reviews.apache.org/r/72061/diff/1-2/


Testing
-------

show catalogs/schemas/tables only display the catalogs/schemas/tables in which the user has SELECT permission.


Thanks,

Jiayi Liu

Re: Review Request 72061: RANGER-2716: Add catalogs/schemas/tables filter in presto plugin

Posted by Jiayi Liu <li...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72061/
-----------------------------------------------------------

(Updated 四月 23, 2020, 3:21 a.m.)


Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Zsombor Gegesy.


Bugs: RANGER-2716
    https://issues.apache.org/jira/browse/RANGER-2716


Repository: ranger


Description
-------

Presto plugin returns the input set of catalogs/schemas/tables directly at present. However, this causes a problem, that is, when the user uses show catalogs/schemas/tables, all catalogs/schemas/tables are displayed, even though the user does not have the permissions to display all catalogs/schemas/tables.

We need to fix the filterCatalogs/Schemas/Tables functions to filter catalogs/schemas/tables, so that the user can only see the catalogs/schemas/tables in which the user has SELECT permission.


Diffs
-----

  plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java 3ab63f590 
  ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java e89f646e1 


Diff: https://reviews.apache.org/r/72061/diff/1/


Testing
-------

show catalogs/schemas/tables only display the catalogs/schemas/tables in which the user has SELECT permission.


File Attachments (updated)
----------------

0002-RANGER-2716.patch
  https://reviews.apache.org/media/uploaded/files/2020/04/23/c8100704-4d07-4193-b8ae-9ba40f7d42d2__0002-RANGER-2716.patch


Thanks,

Jiayi Liu