You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Gautam Borad <gb...@gmail.com> on 2016/03/16 13:24:11 UTC
Re: Review Request 44444: RANGER-875 : Restrict Grantor privileges of
Ranger db user for Oracle DB Flavor
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44444/#review123859
-----------------------------------------------------------
Ship it!
Ship It!
- Gautam Borad
On March 8, 2016, 2:13 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/44444/
> -----------------------------------------------------------
>
> (Updated March 8, 2016, 2:13 p.m.)
>
>
> Review request for ranger, Alok Lal, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, and Selvamohan Neethiraj.
>
>
> Bugs: RANGER-875
> https://issues.apache.org/jira/browse/RANGER-875
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement :**
> Currently installation script gives grantor roles to Ranger db user on several privileges. Restrict Grantor role of Ranger Db user on only those privileges on which Ranger db user needs to give grants to the audit db user.
>
> **Proposed Solution :**
> In attached patch have removed 'WITH ADMIN OPTION' clause from GRANT statement as it's not required any more.
> Ranger db user do not need Grantor role on tables for SELECT operation explicitly as he is scehma owner and has all privileges of all object of that schema.
> Since Oracle Root user gives 'CREATE SESSION' privilege to audit db user, Ranger db user does not need to give same privileges again to audit db user thus Ranger db user do not need Grantor role in 'CREATE SESSION' privilege also.
>
>
> Diffs
> -----
>
> kms/scripts/dba_script.py 1e039e5
> security-admin/scripts/db_setup.py 1a74b4a
> security-admin/scripts/dba_script.py 66b2848
>
> Diff: https://reviews.apache.org/r/44444/diff/
>
>
> Testing
> -------
>
> **Steps performed : **
> 1. After configuring install.properties of Ranger admin for Oracle DB Flavor, called setup.sh to install Ranger.
> 2. Started Ranger Admin and Created HDFS service and policy.
> 3. Installed HDFS plugin and enabled HDFS plugin with audit to DB logs.
> 4. Executed few HDFS command to audit logs.
>
> **Result/Behavior:**
> Installation logs do not have any Grant statement containing 'WITH ADMIN OPTION'.
> Setup was done successfully and Ranger UI was working.
> Was Able to see Audit logs of HDFS command executed in Testing processs for policy enforcement.
>
>
> Thanks,
>
> Pradeep Agrawal
>
>