You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Ramesh Mani <rm...@hortonworks.com> on 2021/06/05 07:48:11 UTC

Re: Review Request 71899: RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin


> On Feb. 5, 2021, 7:20 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
> > Lines 36 (patched)
> > <https://reviews.apache.org/r/71899/diff/2/?file=2245598#file2245598line36>
> >
> >     Why is this needed? Authorization request will typically contain only user/groups. Ranger role-names need to be derived only from these two.

show role grant role <rolename> needs the role mapping to display the roles.


- Ramesh


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71899/#review222568
-----------------------------------------------------------


On Jan. 27, 2021, 9:19 p.m., Ramesh Mani wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71899/
> -----------------------------------------------------------
> 
> (Updated Jan. 27, 2021, 9:19 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2640
>     https://issues.apache.org/jira/browse/RANGER-2640
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java 3e35709aa 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 71f8daeb5 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 5ffd38f98 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 81b1971a8 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java 115a576e0 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java 0268e2f30 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java e145ea299 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java e06f1357f 
> 
> 
> Diff: https://reviews.apache.org/r/71899/diff/3/
> 
> 
> Testing
> -------
> 
> - Verified in Local VM.
> - Show Role Grant <user|group|role> <principal> implementation. 
> - Revised that patch to handle the ROLE fetch from plugin instead of getting it from Ranger admin via rest.
> - Introduced service configuration "ranger.plugin.service.admins" to maintain list of service admin who can run "show role"commands in hive.
> - Introduced api isServiceAdmin() in RangerBasePlugin to check if the user is service admin. This will enable other plugins to use similar service admin check for any ROLE based command authorization check.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>