You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/09/08 16:15:35 UTC
[ranger] branch master updated: RANGER-3350: Ranger HivePluginAuthorizer SHOW CURRENT ROLES not fetching the role set in current hive beeline session

This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 92fdf20  RANGER-3350: Ranger HivePluginAuthorizer SHOW CURRENT ROLES not fetching the role set in current hive beeline session
92fdf20 is described below

commit 92fdf206d80576deaa2e08702a9138255995a326
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Tue Aug 17 21:58:03 2021 -0700

    RANGER-3350: Ranger HivePluginAuthorizer SHOW CURRENT ROLES not fetching the role set in current hive beeline session
    
    Signed-off-by: Ramesh Mani <rm...@cloudera.com>
---
 .../hive/authorizer/RangerHiveAuthorizer.java      | 26 ++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 8621f73..7558034 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -127,6 +127,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 	private String currentUserName;
 	private Set<String> currentRoles;
 	private String adminRole;
+	private boolean isCurrentRoleSet = false;
 
 	public RangerHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
 								  HiveConf                   hiveConf,
@@ -310,12 +311,14 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		if (ROLE_NONE.equalsIgnoreCase(roleName)) {
 			// for set role NONE, clear all roles for current session.
 			currentRoles.clear();
+			isCurrentRoleSet = true;
 			return;
 		}
 		if (ROLE_ALL.equalsIgnoreCase(roleName)) {
 			// for set role ALL, reset roles to default roles.
 			currentRoles.clear();
 			currentRoles.addAll(getCurrentRoleNamesFromRanger());
+			isCurrentRoleSet = true;
 			return;
 		}
 		for (String role : getCurrentRoleNamesFromRanger()) {
@@ -323,6 +326,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 			if (role.equalsIgnoreCase(roleName)) {
 				currentRoles.clear();
 				currentRoles.add(role);
+				isCurrentRoleSet = true;
 				return;
 			}
 		}
@@ -330,6 +334,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		if (ROLE_ADMIN.equalsIgnoreCase(roleName) && null != this.adminRole) {
 			currentRoles.clear();
 			currentRoles.add(adminRole);
+			isCurrentRoleSet = true;
 			return;
 		}
 		LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
@@ -3011,7 +3016,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 
 	private Set<String> getCurrentRoles() {
 		// from SQLStdHiveAccessController.getCurrentRoles()
-		initUserRoles();
+		getCurrentRoleForCurrentUser();
 		return currentRoles;
 	}
 
@@ -3037,6 +3042,21 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
 	}
 
+	private void getCurrentRoleForCurrentUser() {
+		if (isCurrentRoleSet) {
+			// current session has a role set, so no need to fetch roles.
+			return;
+		}
+		String newUserName = getHiveAuthenticator().getUserName();
+		this.currentUserName = newUserName;
+		try {
+			currentRoles = getCurrentRoleNamesFromRanger();
+		} catch (HiveAuthzPluginException e) {
+			LOG.error("Error while fetching roles from ranger for user : " + currentUserName, e);
+		}
+		LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
+	}
+
 	private Set<String> getCurrentRolesForUser(String user, Set<String> groups) {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerHiveAuthorizer.getCurrentRolesForUser()");
@@ -3044,9 +3064,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 
 		Set<String>  ret  = hivePlugin.getRolesFromUserAndGroups(user, groups);
 
-		if (CollectionUtils.isNotEmpty(ret) && CollectionUtils.isNotEmpty(currentRoles) && ret.containsAll(currentRoles)) {
-			ret = currentRoles;
-		}
+		ret = (isCurrentRoleSet) ? currentRoles : ret;
 
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("<== RangerHiveAuthorizer.getCurrentRolesForUser() User: " + currentUserName + ", User Roles: " + ret);