You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Pradeep Agrawal <pr...@gmail.com> on 2020/04/24 14:17:03 UTC
Review Request 72429: RANGER-2763: Hive SET Role command in Ranger
hive plugin
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72429/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Nixon Rodrigues, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2763
https://issues.apache.org/jira/browse/RANGER-2763
Repository: ranger
Description
-------
**Problem Statement:** Hive SET Role command is not supported in Ranger hive plugin
Error message : setCurrentRole() not implemented in Ranger AbstractHiveAuthorizer
**Proposed Solution:** Added implementation as per https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520
However user's role list will not be fetched from Hivemetastore, rather it will be fetched from Ranger admin.
Note: command "set role" may not generate any audit logs as of now. I could not test the same as i dont have environment.
Diffs
-----
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java a6f74b95e
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java c752489ef
Diff: https://reviews.apache.org/r/72429/diff/1/
Testing
-------
With patch:
1) Added two roles in ranger admin "admin" and "public" and added hive user in that.
2) logged in from hive user in hive cli and executed command "show current roles"
3) output received "public"
4) executed command "set role admin" and command was executed successfully
5) executed command "show current roles"
6) output received "admin"
7) executed command "show roles"
8) command failed to execute as "hive" is not an admin in Ranger and only user having "admin" role is ranger-admin can execute that.
Thanks,
Pradeep Agrawal
Re: Review Request 72429: RANGER-2763: Hive SET Role command in
Ranger hive plugin
Posted by Pradeep Agrawal <pr...@gmail.com>.
> On May 8, 2020, 1:21 p.m., bhavik patel wrote:
> > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
> > Lines 321 (patched)
> > <https://reviews.apache.org/r/72429/diff/2/?file=2229649#file2229649line323>
> >
> > Any specific reason for not throwing any Exception.
Added error message there.
- Pradeep
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72429/#review220695
-----------------------------------------------------------
On April 24, 2020, 2:17 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72429/
> -----------------------------------------------------------
>
> (Updated April 24, 2020, 2:17 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Nixon Rodrigues, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2763
> https://issues.apache.org/jira/browse/RANGER-2763
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement:** Hive SET Role command is not supported in Ranger hive plugin
> Error message : setCurrentRole() not implemented in Ranger AbstractHiveAuthorizer
>
> **Proposed Solution:** Added implementation as per https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520
>
> However user's role list will not be fetched from Hivemetastore, rather it will be fetched from Ranger admin.
>
> Note: command "set role" may not generate any audit logs as of now. I could not test the same as i dont have environment.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 89d585a3a
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java 2a28f701a
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java ea42c82c1
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java ee605e869
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 59a04058b
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java c9514141a
> agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java b42353b0a
> agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 4cca8ce84
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e9954c3ca
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 26c7dfb7c
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 6461a2467
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java d304bec81
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java 188f2b1b7
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java a6f74b95e
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java c752489ef
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java ba6b459bb
> plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java dc2ed8a69
> plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java d4521a392
> ranger-examples/plugin-sampleapp/src/main/java/org/apache/ranger/examples/sampleapp/RangerAuthorizer.java 6b3d6eae7
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 5e9329133
>
>
> Diff: https://reviews.apache.org/r/72429/diff/3/
>
>
> Testing
> -------
>
> With patch:
> 1) Added two roles in ranger admin "admin" and "public" and added hive user in that.
> 2) logged in from hive user in hive cli and executed command "show current roles"
> 3) output received "public"
> 4) executed command "set role admin" and command was executed successfully
> 5) executed command "show current roles"
> 6) output received "admin"
> 7) executed command "show roles"
> 8) command failed to execute as "hive" is not an admin in Ranger and only user having "admin" role is ranger-admin can execute that.
>
>
> **Actual behaviour without Ranger ACL Use case :**
>
> 1) Login from hive user : create two roles let say role1 and role2
>
> 2) create one table table1 and insert a record.
>
> 3) grant select on the table1 to role1 and insert on the table1 to role2
>
> 4) create user testuser1 and give both role1 and role2 to user testuser1
>
> 5) login from user testuser1 and set role to role1 by using set role command
>
> 6) execute sql statement to select the records : since role1 is having select grant user will able to view the records.
>
> 7) execute insert statement to add a record : since role1 is not having insert privileges and user has set current role to only role1 he would not able to insert the records.
>
> 8) now run the command set role and set the role to role2
>
> 9) execute insert statement to add a record : since role2 is having insert privileges and user has set current role to only role2 he would able to insert the records.
>
> 10) execute sql statement to select the records : since role2 is not having select permissions, user will not able to view the records.
>
> 11) logout and login again from same user and execute show current role command , both role should be displayed.
>
> **With Ranger ACL:** With Ranger ACL also above Use case is same as above.
>
>
> Thanks,
>
> Pradeep Agrawal
>
>
Re: Review Request 72429: RANGER-2763: Hive SET Role command in
Ranger hive plugin
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72429/#review220695
-----------------------------------------------------------
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 321 (patched)
<https://reviews.apache.org/r/72429/#comment309319>
Any specific reason for not throwing any Exception.
- bhavik patel
On April 24, 2020, 2:17 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72429/
> -----------------------------------------------------------
>
> (Updated April 24, 2020, 2:17 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Nixon Rodrigues, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2763
> https://issues.apache.org/jira/browse/RANGER-2763
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement:** Hive SET Role command is not supported in Ranger hive plugin
> Error message : setCurrentRole() not implemented in Ranger AbstractHiveAuthorizer
>
> **Proposed Solution:** Added implementation as per https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520
>
> However user's role list will not be fetched from Hivemetastore, rather it will be fetched from Ranger admin.
>
> Note: command "set role" may not generate any audit logs as of now. I could not test the same as i dont have environment.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 89d585a3a
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java 2a28f701a
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java ea42c82c1
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java ee605e869
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 59a04058b
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java c9514141a
> agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java b42353b0a
> agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 4cca8ce84
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e9954c3ca
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 26c7dfb7c
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 6461a2467
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java a5697f24f
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java 188f2b1b7
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java a6f74b95e
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java c752489ef
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java ba6b459bb
> plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java dc2ed8a69
> plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java d4521a392
> ranger-examples/plugin-sampleapp/src/main/java/org/apache/ranger/examples/sampleapp/RangerAuthorizer.java 6b3d6eae7
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 5e9329133
>
>
> Diff: https://reviews.apache.org/r/72429/diff/2/
>
>
> Testing
> -------
>
> With patch:
> 1) Added two roles in ranger admin "admin" and "public" and added hive user in that.
> 2) logged in from hive user in hive cli and executed command "show current roles"
> 3) output received "public"
> 4) executed command "set role admin" and command was executed successfully
> 5) executed command "show current roles"
> 6) output received "admin"
> 7) executed command "show roles"
> 8) command failed to execute as "hive" is not an admin in Ranger and only user having "admin" role is ranger-admin can execute that.
>
>
> **Actual behaviour without Ranger ACL Use case :**
>
> 1) Login from hive user : create two roles let say role1 and role2
>
> 2) create one table table1 and insert a record.
>
> 3) grant select on the table1 to role1 and insert on the table1 to role2
>
> 4) create user testuser1 and give both role1 and role2 to user testuser1
>
> 5) login from user testuser1 and set role to role1 by using set role command
>
> 6) execute sql statement to select the records : since role1 is having select grant user will able to view the records.
>
> 7) execute insert statement to add a record : since role1 is not having insert privileges and user has set current role to only role1 he would not able to insert the records.
>
> 8) now run the command set role and set the role to role2
>
> 9) execute insert statement to add a record : since role2 is having insert privileges and user has set current role to only role2 he would able to insert the records.
>
> 10) execute sql statement to select the records : since role2 is not having select permissions, user will not able to view the records.
>
> 11) logout and login again from same user and execute show current role command , both role should be displayed.
>
> **With Ranger ACL:** With Ranger ACL also above Use case is same as above.
>
>
> Thanks,
>
> Pradeep Agrawal
>
>
Re: Review Request 72429: RANGER-2763: Hive SET Role command in
Ranger hive plugin
Posted by Pradeep Agrawal <pr...@gmail.com>.
> On April 27, 2020, 6:14 a.m., Madhan Neethiraj wrote:
> > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
> > Lines 127 (patched)
> > <https://reviews.apache.org/r/72429/diff/1/?file=2227514#file2227514line127>
> >
> > The user can pick only one role to the current-role, right? If user doesn't specify any, then all roles assigned to the user (and user's groups) will be used to authorize the access. So, I suggest to consider replacing:
> > private List<String> currentRoles;
> >
> > with:
> > private String useRole;
> >
> >
> > In addition, it will be necessary to update policy evaluation to only use the role specified in 'setRole()' to perform authorization. Please review and update.
The user can pick only one role to the current-role, right?
Pradeep : Yes
If user doesn't specify any, then all roles assigned to the user (and user's groups) will be used to authorize the access.
Pradeep : Yes, but It seems "set role" command is based on the session level, not on the application level. like if user logs out then his roles will be reset to whatever it was before login. so I think we have to keep the list for roles. also before executing the "set role" command "show current roles" command should list all the roles.
Implementation Reference : https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520
--
In addition, it will be necessary to update policy evaluation to only use the role specified in 'setRole()' to perform authorization. Please review and update.
Pradeep : will review and let you know. This implementation will also vary on above question's answer.
- Pradeep
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72429/#review220495
-----------------------------------------------------------
On April 24, 2020, 2:17 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72429/
> -----------------------------------------------------------
>
> (Updated April 24, 2020, 2:17 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Nixon Rodrigues, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2763
> https://issues.apache.org/jira/browse/RANGER-2763
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement:** Hive SET Role command is not supported in Ranger hive plugin
> Error message : setCurrentRole() not implemented in Ranger AbstractHiveAuthorizer
>
> **Proposed Solution:** Added implementation as per https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520
>
> However user's role list will not be fetched from Hivemetastore, rather it will be fetched from Ranger admin.
>
> Note: command "set role" may not generate any audit logs as of now. I could not test the same as i dont have environment.
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java a6f74b95e
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java c752489ef
>
>
> Diff: https://reviews.apache.org/r/72429/diff/1/
>
>
> Testing
> -------
>
> With patch:
> 1) Added two roles in ranger admin "admin" and "public" and added hive user in that.
> 2) logged in from hive user in hive cli and executed command "show current roles"
> 3) output received "public"
> 4) executed command "set role admin" and command was executed successfully
> 5) executed command "show current roles"
> 6) output received "admin"
> 7) executed command "show roles"
> 8) command failed to execute as "hive" is not an admin in Ranger and only user having "admin" role is ranger-admin can execute that.
>
>
> Thanks,
>
> Pradeep Agrawal
>
>
Re: Review Request 72429: RANGER-2763: Hive SET Role command in
Ranger hive plugin
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72429/#review220495
-----------------------------------------------------------
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 127 (patched)
<https://reviews.apache.org/r/72429/#comment308947>
The user can pick only one role to the current-role, right? If user doesn't specify any, then all roles assigned to the user (and user's groups) will be used to authorize the access. So, I suggest to consider replacing:
private List<String> currentRoles;
with:
private String useRole;
In addition, it will be necessary to update policy evaluation to only use the role specified in 'setRole()' to perform authorization. Please review and update.
- Madhan Neethiraj
On April 24, 2020, 2:17 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72429/
> -----------------------------------------------------------
>
> (Updated April 24, 2020, 2:17 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Nixon Rodrigues, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2763
> https://issues.apache.org/jira/browse/RANGER-2763
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement:** Hive SET Role command is not supported in Ranger hive plugin
> Error message : setCurrentRole() not implemented in Ranger AbstractHiveAuthorizer
>
> **Proposed Solution:** Added implementation as per https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520
>
> However user's role list will not be fetched from Hivemetastore, rather it will be fetched from Ranger admin.
>
> Note: command "set role" may not generate any audit logs as of now. I could not test the same as i dont have environment.
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java a6f74b95e
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java c752489ef
>
>
> Diff: https://reviews.apache.org/r/72429/diff/1/
>
>
> Testing
> -------
>
> With patch:
> 1) Added two roles in ranger admin "admin" and "public" and added hive user in that.
> 2) logged in from hive user in hive cli and executed command "show current roles"
> 3) output received "public"
> 4) executed command "set role admin" and command was executed successfully
> 5) executed command "show current roles"
> 6) output received "admin"
> 7) executed command "show roles"
> 8) command failed to execute as "hive" is not an admin in Ranger and only user having "admin" role is ranger-admin can execute that.
>
>
> Thanks,
>
> Pradeep Agrawal
>
>
Re: Review Request 72429: RANGER-2763: Hive SET Role command in
Ranger hive plugin
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72429/#review220844
-----------------------------------------------------------
Ship it!
Ship It!
- bhavik patel
On April 24, 2020, 2:17 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72429/
> -----------------------------------------------------------
>
> (Updated April 24, 2020, 2:17 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Nixon Rodrigues, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2763
> https://issues.apache.org/jira/browse/RANGER-2763
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement:** Hive SET Role command is not supported in Ranger hive plugin
> Error message : setCurrentRole() not implemented in Ranger AbstractHiveAuthorizer
>
> **Proposed Solution:** Added implementation as per https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520
>
> However user's role list will not be fetched from Hivemetastore, rather it will be fetched from Ranger admin.
>
> Note: command "set role" may not generate any audit logs as of now. I could not test the same as i dont have environment.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 89d585a3a
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java 2a28f701a
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java ea42c82c1
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java ee605e869
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 59a04058b
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java c9514141a
> agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java b42353b0a
> agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 4cca8ce84
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e9954c3ca
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 26c7dfb7c
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 6461a2467
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java d304bec81
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java 188f2b1b7
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java a6f74b95e
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java c752489ef
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java ba6b459bb
> plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java dc2ed8a69
> plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java d4521a392
> ranger-examples/plugin-sampleapp/src/main/java/org/apache/ranger/examples/sampleapp/RangerAuthorizer.java 6b3d6eae7
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 5e9329133
>
>
> Diff: https://reviews.apache.org/r/72429/diff/3/
>
>
> Testing
> -------
>
> With patch:
> 1) Added two roles in ranger admin "admin" and "public" and added hive user in that.
> 2) logged in from hive user in hive cli and executed command "show current roles"
> 3) output received "public"
> 4) executed command "set role admin" and command was executed successfully
> 5) executed command "show current roles"
> 6) output received "admin"
> 7) executed command "show roles"
> 8) command failed to execute as "hive" is not an admin in Ranger and only user having "admin" role is ranger-admin can execute that.
>
>
> **Actual behaviour without Ranger ACL Use case :**
>
> 1) Login from hive user : create two roles let say role1 and role2
>
> 2) create one table table1 and insert a record.
>
> 3) grant select on the table1 to role1 and insert on the table1 to role2
>
> 4) create user testuser1 and give both role1 and role2 to user testuser1
>
> 5) login from user testuser1 and set role to role1 by using set role command
>
> 6) execute sql statement to select the records : since role1 is having select grant user will able to view the records.
>
> 7) execute insert statement to add a record : since role1 is not having insert privileges and user has set current role to only role1 he would not able to insert the records.
>
> 8) now run the command set role and set the role to role2
>
> 9) execute insert statement to add a record : since role2 is having insert privileges and user has set current role to only role2 he would able to insert the records.
>
> 10) execute sql statement to select the records : since role2 is not having select permissions, user will not able to view the records.
>
> 11) logout and login again from same user and execute show current role command , both role should be displayed.
>
> **With Ranger ACL:** With Ranger ACL also above Use case is same as above.
>
>
> Thanks,
>
> Pradeep Agrawal
>
>