You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by "Xiang Sheng (JIRA)" <ji...@apache.org> on 2017/02/28 09:56:45 UTC

[jira] [Reopened] (HAWQ-1332) Can not grant database and schema privileges without table privileges in ranger or ranger plugin service

     [ https://issues.apache.org/jira/browse/HAWQ-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Xiang Sheng reopened HAWQ-1332:
-------------------------------

[~adenisso]  I have checked how hive process include/exclude in Ranger. We found that hive provide some features about include/exclude that we don't have.
As the jira description said, include database and schema, exclude table, we cannot connect database. Seems include/exclude table impacted database and schema privileges. 
But in hive, if we exclude a database, we don't have the privileges selected. if we include the database, we have the privileges. If we exclude one table, we still have the selected privileges for other table, if we include one table, we have some of the selected privileges on the table. So the include/exclude works fine(maybe not fine-grained) in hive.
So we should re-examine how we process include/exclude and fix the problems. 

> Can not grant database and schema privileges without table privileges in ranger or ranger plugin service
> --------------------------------------------------------------------------------------------------------
>
>                 Key: HAWQ-1332
>                 URL: https://issues.apache.org/jira/browse/HAWQ-1332
>             Project: Apache HAWQ
>          Issue Type: Bug
>          Components: Security
>            Reporter: Chunling Wang
>            Assignee: Alexander Denissov
>             Fix For: 2.2.0.0-incubating
>
>         Attachments: screenshot-1.png, screenshot-2.png, screenshot-3.png
>
>
> We try to grant database connect and schema usage privileges to a non-super user to connect database. We find that if we set policy with database and schema included, but with table excluded, we can not connect database. But if we include table, we can connect to database. We think there may be bug in Ranger Plugin Service or Ranger. Here are steps to reproduce it.
> 1. create a new user "usertest1" in database:
> {code}
> $ psql postgres
> psql (8.2.15)
> Type "help" for help.
> postgres=# CREATE USER usertest1;
> NOTICE:  resource queue required -- using default resource queue "pg_default"
> CREATE ROLE
> postgres=#
> {code}
> 2. add user "usertest1" in pg_hba.conf
> {code}
> local all     usertest1             trust
> {code}
> 3. set policy with database and schema included, with table excluded
> !screenshot-1.png|width=800,height=400!
> 4. connect database with user "usertest1" but failed with permission denied
> {code}
> $ psql postgres -U usertest1
> psql: FATAL:  permission denied for database "postgres"
> DETAIL:  User does not have CONNECT privilege.
> {code}
> 5. set policy with database, schema and table included
> !screenshot-2.png|width=800,height=400!
> 6. connect database with user "usertest1" and succeed
> {code}
> $ psql postgres -U usertest1
> psql (8.2.15)
> Type "help" for help.
> postgres=#
> {code}
> But if we do not set table as "*", and specify table like "a", we can not access database either.
> !screenshot-3.png|width=800,height=400!



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)