You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Qiang Zhang <zh...@zte.com.cn> on 2017/07/25 12:41:58 UTC

Review Request 61108: Hive table was not inserted data after user created Hive Masking policy.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61108/
-----------------------------------------------------------

Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.


Bugs: RANGER-1712
    https://issues.apache.org/jira/browse/RANGER-1712


Repository: ranger


Description
-------

The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
segment 1:
if (isDataMaskEnabled(dataMaskResult)) {
if(result == null)
{ result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request); }
result.setIsAllowed(false); //set false
result.setPolicyId(dataMaskResult.getPolicyId());
result.setReason("User does not have acces to unmasked column values");
}
segment 2:
if(result == null || !result.getIsAllowed())
{ //result.getIsAllowed() must equal to false. So the logic is error. The program logic will always go to the following code segment. String path = resource.getAsString(); path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType); throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, request.getHiveAccessType().name(), path)); }
The error reason is as following:
The result.setIsAllowed(false) was call in segment 1. So The result.getIsAllowed() must equal to false. This is a error.
1.Scenarios 
create database cust; 
use cust;
create table customer(id int,name_first string,name_last string,addr_country string, data_of_birth date, phone_num string)ROW FORMAT DELIMITED
FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;
insert into customer values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');
Result:insert sucess
1):First create hive Access policy users:mr have acess to all privilege to database(cust) and table(customer) and columns; (see Acess.png in detail)
insert into customer values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
Result:insert sucess
2)Second create Masking policy on cust.customer.name_first (see Masking.png in detail)
insert into customer values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
Result: Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [glc] does not have [UPDATE] privilege on [cust/customer] (state=42000,code=40000)
3.Solution:
Modify RangerHiveAuthorizer.java 
change from "result.setIsAllowed(false);
result.setPolicyId(dataMaskResult.getPolicyId());
result.setReason("User does not have acces to unmasked column values");"
to 
"result.setIsAllowed(dataMaskResult.getIsAllowed());
result.setPolicyId(dataMaskResult.getPolicyId());
if(!dataMaskResult.getIsAllowed())
{ result.setReason("User does not have acces to unmasked column values"); }
"


Diffs
-----

  hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 56ef187 


Diff: https://reviews.apache.org/r/61108/diff/1/


Testing
-------

Tested it!


Thanks,

Qiang Zhang

Re: Review Request 61108: Hive table was not inserted data after user created Hive Masking policy.

Posted by Qiang Zhang <zh...@zte.com.cn>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61108/
-----------------------------------------------------------

(Updated 七月 25, 2017, 12:46 p.m.)


Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.


Bugs: RANGER-1712
    https://issues.apache.org/jira/browse/RANGER-1712


Repository: ranger


Description (updated)
-------

The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
segment 1:
if (isDataMaskEnabled(dataMaskResult)) {
if(result == null)
{ result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request); }
result.setIsAllowed(false); //set false after user created Hive Masking policy.
result.setPolicyId(dataMaskResult.getPolicyId());
result.setReason("User does not have acces to unmasked column values");
}
segment 2:
if(result == null || !result.getIsAllowed())
{ //result.getIsAllowed() must equal to false after user created Hive Masking policy. So the logic is error. The program logic will always go to the following code segment. String path = resource.getAsString(); path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType); throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, request.getHiveAccessType().name(), path)); }
The error reason is as following:
The result.setIsAllowed(false) was call in segment 1 after user created Hive Masking policy. So The result.getIsAllowed() must equal to false in segment 2 after user created Hive Masking policy. This is a error.
1.Scenarios 
create database cust; 
use cust;
create table customer(id int,name_first string,name_last string,addr_country string, data_of_birth date, phone_num string)ROW FORMAT DELIMITED
FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;
insert into customer values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');
Result:insert sucess
1):First create hive Access policy users:mr have acess to all privilege to database(cust) and table(customer) and columns; (see Acess.png in detail)
insert into customer values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
Result:insert sucess
2)Second create Masking policy on cust.customer.name_first (see Masking.png in detail)
insert into customer values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
Result: Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [glc] does not have [UPDATE] privilege on [cust/customer] (state=42000,code=40000)
3.Solution:
Modify RangerHiveAuthorizer.java 
change from "result.setIsAllowed(false);
result.setPolicyId(dataMaskResult.getPolicyId());
result.setReason("User does not have acces to unmasked column values");"
to 
"result.setIsAllowed(dataMaskResult.getIsAllowed());
result.setPolicyId(dataMaskResult.getPolicyId());
if(!dataMaskResult.getIsAllowed())
{ result.setReason("User does not have acces to unmasked column values"); }
"
"


Diffs
-----

  hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 56ef187 


Diff: https://reviews.apache.org/r/61108/diff/1/


Testing
-------

Tested it!


Thanks,

Qiang Zhang