You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2016/12/09 18:02:53 UTC

incubator-ranger git commit: RANGER-1195:Ranger should allow for 'describe' and 'show columns' on tables when user access is limited to a subset of columns

Repository: incubator-ranger
Updated Branches:
  refs/heads/master 10f2befe9 -> d8f4b2eab


RANGER-1195:Ranger should allow for 'describe' and 'show columns' on tables when user access is limited to a subset of columns

Signed-off-by: rmani <rm...@hortonworks.com>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d8f4b2ea
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d8f4b2ea
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d8f4b2ea

Branch: refs/heads/master
Commit: d8f4b2eab64c902e9e2018c25ef11f2a88acb2b6
Parents: 10f2bef
Author: rmani <rm...@hortonworks.com>
Authored: Thu Nov 17 16:13:12 2016 -0800
Committer: rmani <rm...@hortonworks.com>
Committed: Mon Dec 5 23:55:22 2016 -0800

----------------------------------------------------------------------
 .../hadoop/constants/RangerHadoopConstants.java |  2 ++
 .../hive/authorizer/RangerHiveAuthorizer.java   | 22 +++++++++++++++++---
 2 files changed, 21 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d8f4b2ea/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
index b3d761c..83f720a 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
@@ -33,6 +33,8 @@ public class RangerHadoopConstants {
 	public static final boolean HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true;
 	public static final String  HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_PROP          = "xasecure.hive.block.update.if.rowfilter.columnmask.specified";
 	public static final boolean HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE = true;
+	public static final String  HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP	= "xasecure.hive.describetable.showcolumns.authorization.option";
+	public static final String  HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE	= "NONE";
 
 	public static final String  HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP 	     = "xasecure.hbase.update.xapolicies.on.grant.revoke";
 	public static final boolean HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d8f4b2ea/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 92fc2e7..717cec3 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -831,7 +831,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 	private HiveAccessType getAccessType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType, boolean isInput) {
 		HiveAccessType           accessType       = HiveAccessType.NONE;
 		HivePrivObjectActionType objectActionType = hiveObj.getActionType();
-		
 		switch(objectActionType) {
 			case INSERT:
 			case INSERT_OVERWRITE:
@@ -948,15 +947,30 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 				case QUERY:
 				case SHOW_TABLESTATUS:
 				case SHOW_CREATETABLE:
-				case SHOWCOLUMNS:
 				case SHOWINDEXES:
 				case SHOWPARTITIONS:
 				case SHOW_TBLPROPERTIES:
-				case DESCTABLE:
 				case ANALYZE_TABLE:
 					accessType = HiveAccessType.SELECT;
 				break;
 
+				case SHOWCOLUMNS:
+				case DESCTABLE:
+					switch (StringUtil.toLower(hivePlugin.DescribeShowTableAuth)){
+						case "show-allowed":
+							// This is not implemented so defaulting to current behaviour of blocking describe/show columns not to show any columns.
+							// This has to be implemented when hive provides the necessary filterListCmdObjects for
+							// SELECT/SHOWCOLUMS/DESCTABLE to filter the columns based on access provided in ranger.
+						case "none":
+						case "":
+							accessType = HiveAccessType.SELECT;
+							break;
+						case "show-all":
+							accessType = HiveAccessType.USE;
+							break;
+					}
+				break;
+
 				// any access done for metadata access of actions that have support from hive for filtering
 				case SHOWDATABASES:
 				case SWITCHDATABASE:
@@ -1325,6 +1339,7 @@ enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, US
 class RangerHivePlugin extends RangerBasePlugin {
 	public static boolean UpdateXaPoliciesOnGrantRevoke             = RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE;
 	public static boolean BlockUpdateIfRowfilterColumnMaskSpecified = RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE;
+	public static String DescribeShowTableAuth						= RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE;
 
 	public RangerHivePlugin(String appType) {
 		super("hive", appType);
@@ -1336,6 +1351,7 @@ class RangerHivePlugin extends RangerBasePlugin {
 
 		RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke             = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP, RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE);
 		RangerHivePlugin.BlockUpdateIfRowfilterColumnMaskSpecified = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_PROP, RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE);
+		RangerHivePlugin.DescribeShowTableAuth				   	   = RangerConfiguration.getInstance().get(RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP,RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE);
 	}
 }