You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/09/08 16:16:42 UTC
[ranger] branch ranger-2.2 updated: RANGER-3350: Ranger
HivePluginAuthorizer SHOW CURRENT ROLES not fetching the role set in
current hive beeline session
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new a3a553d RANGER-3350: Ranger HivePluginAuthorizer SHOW CURRENT ROLES not fetching the role set in current hive beeline session
a3a553d is described below
commit a3a553d753af2eff846f1f6fd23eb4f6352cbd75
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Tue Aug 17 21:58:03 2021 -0700
RANGER-3350: Ranger HivePluginAuthorizer SHOW CURRENT ROLES not fetching the role set in current hive beeline session
Signed-off-by: Ramesh Mani <rm...@cloudera.com>
---
.../hive/authorizer/RangerHiveAuthorizer.java | 26 ++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 8621f73..7558034 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -127,6 +127,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
private String currentUserName;
private Set<String> currentRoles;
private String adminRole;
+ private boolean isCurrentRoleSet = false;
public RangerHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf hiveConf,
@@ -310,12 +311,14 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
if (ROLE_NONE.equalsIgnoreCase(roleName)) {
// for set role NONE, clear all roles for current session.
currentRoles.clear();
+ isCurrentRoleSet = true;
return;
}
if (ROLE_ALL.equalsIgnoreCase(roleName)) {
// for set role ALL, reset roles to default roles.
currentRoles.clear();
currentRoles.addAll(getCurrentRoleNamesFromRanger());
+ isCurrentRoleSet = true;
return;
}
for (String role : getCurrentRoleNamesFromRanger()) {
@@ -323,6 +326,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
if (role.equalsIgnoreCase(roleName)) {
currentRoles.clear();
currentRoles.add(role);
+ isCurrentRoleSet = true;
return;
}
}
@@ -330,6 +334,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
if (ROLE_ADMIN.equalsIgnoreCase(roleName) && null != this.adminRole) {
currentRoles.clear();
currentRoles.add(adminRole);
+ isCurrentRoleSet = true;
return;
}
LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
@@ -3011,7 +3016,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
private Set<String> getCurrentRoles() {
// from SQLStdHiveAccessController.getCurrentRoles()
- initUserRoles();
+ getCurrentRoleForCurrentUser();
return currentRoles;
}
@@ -3037,6 +3042,21 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
}
+ private void getCurrentRoleForCurrentUser() {
+ if (isCurrentRoleSet) {
+ // current session has a role set, so no need to fetch roles.
+ return;
+ }
+ String newUserName = getHiveAuthenticator().getUserName();
+ this.currentUserName = newUserName;
+ try {
+ currentRoles = getCurrentRoleNamesFromRanger();
+ } catch (HiveAuthzPluginException e) {
+ LOG.error("Error while fetching roles from ranger for user : " + currentUserName, e);
+ }
+ LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
+ }
+
private Set<String> getCurrentRolesForUser(String user, Set<String> groups) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerHiveAuthorizer.getCurrentRolesForUser()");
@@ -3044,9 +3064,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
Set<String> ret = hivePlugin.getRolesFromUserAndGroups(user, groups);
- if (CollectionUtils.isNotEmpty(ret) && CollectionUtils.isNotEmpty(currentRoles) && ret.containsAll(currentRoles)) {
- ret = currentRoles;
- }
+ ret = (isCurrentRoleSet) ? currentRoles : ret;
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerHiveAuthorizer.getCurrentRolesForUser() User: " + currentUserName + ", User Roles: " + ret);