You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Bolke de Bruin <bd...@gmail.com> on 2019/05/01 10:29:46 UTC

Re: Review Request 70394: Presto Plugin

Hi,

While doing further tests in production the “isValidLeaf” is not working as
we would expect it. Consider the following:

We would like to enable users to show all catalogs names (ie. SHOW
CATALOGS), but not have access to the every underlying schemas (ie. you
should not be able to do “SHOW SCHEMAS FROM random_catalog”).

So we setup a policy that says:

Presto catalog: * (Exclude) and set none to schema (using the isValidLeaf
functionality). Allow conditions: select + use

This works fine. Now we want to enable the user to access the Hive Catalog
with a schema Finance, so we setup a additional policy that says:

Prest catalog: “hive” (include), schema: finance (include), none for tables
(again using the isValidLeaf functionality). Allow conditions: select + use

This does *not* work. Access fails by an “access denied” to the catalog.

How do we set this up correctly?

Thanks
Bolke



On 17 April 2019 at 20:30:07, Bolke de Bruin (bdbruin@gmail.com) wrote:

Hi abhay

Can you please answer the question on the review board on how to set a
policy on just a catalog (so not on the underlying schema) with isValidLeaf
= true?

Thx
Bolke

Verstuurd vanaf mijn iPad

> Op 17 apr. 2019 om 00:51 heeft Abhay Kulkarni <ak...@hortonworks.com>
het volgende geschreven:
>
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70394/#review214705
> -----------------------------------------------------------
>
>
>
>
>
agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json
> Lines 146 (patched)
> <https://reviews.apache.org/r/70394/#comment300924>
>
> '},' ==> '}'
>
> This will cause JSON error. Please remove the comma after curly brace.
>
>
> - Abhay Kulkarni
>
>
>> On April 16, 2019, 1:02 p.m., Bolke de Bruin wrote:
>>
>> -----------------------------------------------------------
>> This is an automatically generated e-mail. To reply, visit:
>> https://reviews.apache.org/r/70394/
>> -----------------------------------------------------------
>>
>> (Updated April 16, 2019, 1:02 p.m.)
>>
>>
>> Review request for ranger and Abhay Kulkarni.
>>
>>
>> Bugs: https://issues.apache.org/jira/browse/RANGER-2395
>>
https://issues.apache.org/jira/browse/https://issues.apache.org/jira/browse/RANGER-2395
>>
>>
>> Repository: ranger
>>
>>
>> Description
>> -------
>>
>> Presto Plugin for Ranger.
>>
>>
>> Diffs
>> -----
>>
>> agents-common/scripts/enable-agent.sh b4194a736
>>
agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
cbfd649c9
>>
agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json
PRE-CREATION
>> plugin-presto/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION
>> plugin-presto/conf/ranger-policymgr-ssl.xml PRE-CREATION
>> plugin-presto/conf/ranger-presto-audit-changes.cfg PRE-CREATION
>> plugin-presto/conf/ranger-presto-audit.xml PRE-CREATION
>> plugin-presto/conf/ranger-presto-security-changes.cfg PRE-CREATION
>> plugin-presto/conf/ranger-presto-security.xml PRE-CREATION
>> plugin-presto/pom.xml PRE-CREATION
>> plugin-presto/scripts/install.properties PRE-CREATION
>>
plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
PRE-CREATION
>>
plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java
PRE-CREATION
>>
plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java
PRE-CREATION
>>
plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoConnectionManager.java
PRE-CREATION
>>
plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoResourceManager.java
PRE-CREATION
>> pom.xml 2a45f8b2d
>> ranger-presto-plugin-shim/pom.xml PRE-CREATION
>>
ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/PrestoRangerPlugin.java
PRE-CREATION
>>
ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerConfig.java
PRE-CREATION
>>
ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
PRE-CREATION
>>
ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlFactory.java
PRE-CREATION
>>
ranger-presto-plugin-shim/src/main/resources/META-INF/services/io.prestosql.spi.Plugin
PRE-CREATION
>> src/main/assembly/admin-web.xml 06ba8c4f0
>> src/main/assembly/plugin-presto.xml PRE-CREATION
>>
>>
>> Diff: https://reviews.apache.org/r/70394/diff/5/
>>
>>
>> Testing
>> -------
>>
>> Tested in production.
>>
>> https://issues.apache.org/jira/browse/RANGER-2395
>>
>>
>> Thanks,
>>
>> Bolke de Bruin
>>
>>
>