You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2016/12/09 18:02:53 UTC
incubator-ranger git commit: RANGER-1195:Ranger should allow for
'describe' and 'show columns' on tables when user access is limited to a
subset of columns
Repository: incubator-ranger
Updated Branches:
refs/heads/master 10f2befe9 -> d8f4b2eab
RANGER-1195:Ranger should allow for 'describe' and 'show columns' on tables when user access is limited to a subset of columns
Signed-off-by: rmani <rm...@hortonworks.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d8f4b2ea
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d8f4b2ea
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d8f4b2ea
Branch: refs/heads/master
Commit: d8f4b2eab64c902e9e2018c25ef11f2a88acb2b6
Parents: 10f2bef
Author: rmani <rm...@hortonworks.com>
Authored: Thu Nov 17 16:13:12 2016 -0800
Committer: rmani <rm...@hortonworks.com>
Committed: Mon Dec 5 23:55:22 2016 -0800
----------------------------------------------------------------------
.../hadoop/constants/RangerHadoopConstants.java | 2 ++
.../hive/authorizer/RangerHiveAuthorizer.java | 22 +++++++++++++++++---
2 files changed, 21 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d8f4b2ea/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
index b3d761c..83f720a 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
@@ -33,6 +33,8 @@ public class RangerHadoopConstants {
public static final boolean HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true;
public static final String HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_PROP = "xasecure.hive.block.update.if.rowfilter.columnmask.specified";
public static final boolean HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE = true;
+ public static final String HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP = "xasecure.hive.describetable.showcolumns.authorization.option";
+ public static final String HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE = "NONE";
public static final String HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP = "xasecure.hbase.update.xapolicies.on.grant.revoke";
public static final boolean HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d8f4b2ea/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 92fc2e7..717cec3 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -831,7 +831,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
private HiveAccessType getAccessType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType, boolean isInput) {
HiveAccessType accessType = HiveAccessType.NONE;
HivePrivObjectActionType objectActionType = hiveObj.getActionType();
-
switch(objectActionType) {
case INSERT:
case INSERT_OVERWRITE:
@@ -948,15 +947,30 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
case QUERY:
case SHOW_TABLESTATUS:
case SHOW_CREATETABLE:
- case SHOWCOLUMNS:
case SHOWINDEXES:
case SHOWPARTITIONS:
case SHOW_TBLPROPERTIES:
- case DESCTABLE:
case ANALYZE_TABLE:
accessType = HiveAccessType.SELECT;
break;
+ case SHOWCOLUMNS:
+ case DESCTABLE:
+ switch (StringUtil.toLower(hivePlugin.DescribeShowTableAuth)){
+ case "show-allowed":
+ // This is not implemented so defaulting to current behaviour of blocking describe/show columns not to show any columns.
+ // This has to be implemented when hive provides the necessary filterListCmdObjects for
+ // SELECT/SHOWCOLUMS/DESCTABLE to filter the columns based on access provided in ranger.
+ case "none":
+ case "":
+ accessType = HiveAccessType.SELECT;
+ break;
+ case "show-all":
+ accessType = HiveAccessType.USE;
+ break;
+ }
+ break;
+
// any access done for metadata access of actions that have support from hive for filtering
case SHOWDATABASES:
case SWITCHDATABASE:
@@ -1325,6 +1339,7 @@ enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, US
class RangerHivePlugin extends RangerBasePlugin {
public static boolean UpdateXaPoliciesOnGrantRevoke = RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE;
public static boolean BlockUpdateIfRowfilterColumnMaskSpecified = RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE;
+ public static String DescribeShowTableAuth = RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE;
public RangerHivePlugin(String appType) {
super("hive", appType);
@@ -1336,6 +1351,7 @@ class RangerHivePlugin extends RangerBasePlugin {
RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP, RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE);
RangerHivePlugin.BlockUpdateIfRowfilterColumnMaskSpecified = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_PROP, RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE);
+ RangerHivePlugin.DescribeShowTableAuth = RangerConfiguration.getInstance().get(RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP,RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE);
}
}