You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by an...@apache.org on 2020/10/13 08:50:08 UTC
[hive] branch master updated: HIVE-24246: Fix for Ranger Deny
policy overriding policy with same resource name (Aasha Medhi,
reviewed by Pravin Kumar Sinha)
This is an automated email from the ASF dual-hosted git repository.
anishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new a21fe6b HIVE-24246: Fix for Ranger Deny policy overriding policy with same resource name (Aasha Medhi, reviewed by Pravin Kumar Sinha)
a21fe6b is described below
commit a21fe6bdcb10583352b7ed4a86f03fb3fe1dad2c
Author: Anishek Agarwal <an...@gmail.com>
AuthorDate: Tue Oct 13 14:19:52 2020 +0530
HIVE-24246: Fix for Ranger Deny policy overriding policy with same resource name (Aasha Medhi, reviewed by Pravin Kumar Sinha)
---
.../hadoop/hive/ql/exec/repl/ReplLoadTask.java | 3 +-
.../ql/exec/repl/ranger/RangerRestClientImpl.java | 4 +-
.../hive/ql/exec/repl/TestRangerLoadTask.java | 90 +++++++++++++++++++++-
3 files changed, 92 insertions(+), 5 deletions(-)
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/repl/ReplLoadTask.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/repl/ReplLoadTask.java
index 6265df1..61b3652 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/exec/repl/ReplLoadTask.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/repl/ReplLoadTask.java
@@ -162,7 +162,8 @@ public class ReplLoadTask extends Task<ReplLoadWork> implements Serializable {
if (RANGER_AUTHORIZER.equalsIgnoreCase(conf.getVar(HiveConf.ConfVars.REPL_AUTHORIZATION_PROVIDER_SERVICE))) {
Path rangerLoadRoot = new Path(new Path(work.dumpDirectory).getParent(), ReplUtils.REPL_RANGER_BASE_DIR);
LOG.info("Adding Import Ranger Metadata Task from {} ", rangerLoadRoot);
- RangerLoadWork rangerLoadWork = new RangerLoadWork(rangerLoadRoot, work.getSourceDbName(), work.dbNameToLoadIn,
+ String targetDbName = StringUtils.isEmpty(work.dbNameToLoadIn) ? work.getSourceDbName() : work.dbNameToLoadIn;
+ RangerLoadWork rangerLoadWork = new RangerLoadWork(rangerLoadRoot, work.getSourceDbName(), targetDbName,
work.getMetricCollector());
Task<RangerLoadWork> rangerLoadTask = TaskFactory.get(rangerLoadWork, conf);
if (childTasks == null) {
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/repl/ranger/RangerRestClientImpl.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/repl/ranger/RangerRestClientImpl.java
index 87a2395..31081ab 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/exec/repl/ranger/RangerRestClientImpl.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/repl/ranger/RangerRestClientImpl.java
@@ -260,7 +260,7 @@ public class RangerRestClientImpl implements RangerRestClient {
public String getRangerImportUrl(String rangerUrl, String dbName) throws URISyntaxException {
URIBuilder uriBuilder = new URIBuilder(rangerUrl);
uriBuilder.setPath(RANGER_REST_URL_IMPORTJSONFILE);
- uriBuilder.addParameter("updateIfExists", "true");
+ uriBuilder.addParameter("mergeIfExists", "true");
uriBuilder.addParameter("polResource", dbName);
return uriBuilder.build().toString();
}
@@ -277,7 +277,7 @@ public class RangerRestClientImpl implements RangerRestClient {
@Override
public List<RangerPolicy> changeDataSet(List<RangerPolicy> rangerPolicies, String sourceDbName,
String targetDbName) {
- if (targetDbName.equals(sourceDbName)) {
+ if (StringUtils.isEmpty(sourceDbName) || StringUtils.isEmpty(targetDbName) || targetDbName.equals(sourceDbName)) {
return rangerPolicies;
}
if (CollectionUtils.isNotEmpty(rangerPolicies)) {
diff --git a/ql/src/test/org/apache/hadoop/hive/ql/exec/repl/TestRangerLoadTask.java b/ql/src/test/org/apache/hadoop/hive/ql/exec/repl/TestRangerLoadTask.java
index d8141d4..c6bc99e 100644
--- a/ql/src/test/org/apache/hadoop/hive/ql/exec/repl/TestRangerLoadTask.java
+++ b/ql/src/test/org/apache/hadoop/hive/ql/exec/repl/TestRangerLoadTask.java
@@ -40,6 +40,7 @@ import org.slf4j.LoggerFactory;
import java.net.MalformedURLException;
import java.net.URL;
+import java.util.List;
import static org.apache.hadoop.hive.conf.HiveConf.ConfVars.REPL_RANGER_ADD_DENY_POLICY_TARGET;
import static org.apache.hadoop.hive.ql.exec.repl.util.ReplUtils.RANGER_HIVE_SERVICE_NAME;
@@ -283,11 +284,96 @@ public class TestRangerLoadTask {
Assert.assertTrue(rangerRestClient.getRangerImportUrl("http://ranger.apache.org:6080/",
"dbname").equals("http://ranger.apache.org:6080/service/plugins/policies/importPoliciesFromFile"
- + "?updateIfExists=true&polResource=dbname"));
+ + "?mergeIfExists=true&polResource=dbname"));
Assert.assertTrue(rangerRestClient.getRangerImportUrl("http://ranger.apache.org:6080",
"dbname").equals("http://ranger.apache.org:6080/service/plugins/policies/importPoliciesFromFile"
- + "?updateIfExists=true&polResource=dbname"));
+ + "?mergeIfExists=true&polResource=dbname"));
}
+
+ @Test
+ public void testChangeDataSet() throws Exception {
+ RangerRestClientImpl rangerRestClient = new RangerRestClientImpl();
+ String rangerResponse = "{\"metaDataInfo\":{\"Host name\":\"ranger.apache.org\","
+ + "\"Exported by\":\"hive\",\"Export time\":\"May 5, 2020, 8:55:03 AM\",\"Ranger apache version\""
+ + ":\"2.0.0.7.2.0.0-61\"},\"policies\":[{\"service\":\"cm_hive\",\"name\":\"db-level\",\"policyType\":0,"
+ + "\"description\":\"\",\"isAuditEnabled\":true,\"resources\":{\"database\":{\"values\":[\"aa\"],"
+ + "\"isExcludes\":false,\"isRecursive\":false},\"column\":{\"values\":[\"id\"],\"isExcludes\":false,"
+ + "\"isRecursive\":false},\"table\":{\"values\":[\"*\"],\"isExcludes\":false,\"isRecursive\":false}},"
+ + "\"policyItems\":[{\"accesses\":[{\"type\":\"select\",\"isAllowed\":true},{\"type\":\"update\","
+ + "\"isAllowed\":true}],\"users\":[\"admin\"],\"groups\":[\"public\"],\"conditions\":[],"
+ + "\"delegateAdmin\":false}],\"denyPolicyItems\":[],\"allowExceptions\":[],\"denyExceptions\":[],"
+ + "\"dataMaskPolicyItems\":[],\"rowFilterPolicyItems\":[],\"id\":40,\"guid\":"
+ + "\"4e2b3406-7b9a-4004-8cdf-7a239c8e2cae\",\"isEnabled\":true,\"version\":1}]}";
+ RangerExportPolicyList rangerPolicyList = new Gson().fromJson(rangerResponse, RangerExportPolicyList.class);
+ List<RangerPolicy> rangerPolicies = rangerPolicyList.getPolicies();
+ rangerRestClient.changeDataSet(rangerPolicies, null, null);
+ assertEqualsRangerPolicies(rangerPolicies, rangerRestClient.changeDataSet(rangerPolicies,
+ null, null), "aa");
+ assertEqualsRangerPolicies(rangerPolicies, rangerRestClient.changeDataSet(rangerPolicies,
+ "aa", null), "aa");
+ assertEqualsRangerPolicies(rangerPolicies, rangerRestClient.changeDataSet(rangerPolicies,
+ null, "aa"), "aa");
+ assertEqualsRangerPolicies(rangerPolicies, rangerRestClient.changeDataSet(rangerPolicies,
+ "aa", "aa"), "aa");
+ assertNotEqualsRangerPolicies(rangerPolicies, rangerRestClient.changeDataSet(rangerPolicies,
+ "aa", "tgt_aa"), "tgt_aa");
+ }
+
+ private void assertNotEqualsRangerPolicies(List<RangerPolicy> expectedRangerPolicies,
+ List<RangerPolicy> actualRangerPolicies, String targetName) {
+ Assert.assertEquals(expectedRangerPolicies.size(), actualRangerPolicies.size());
+ for (int index = 0; index < expectedRangerPolicies.size(); index++) {
+ Assert.assertEquals(expectedRangerPolicies.get(index).getName(), actualRangerPolicies.get(index).getName());
+ Assert.assertEquals(expectedRangerPolicies.get(index).getService(), actualRangerPolicies.get(index).getService());
+ Assert.assertEquals(expectedRangerPolicies.get(index).getDescription(),
+ actualRangerPolicies.get(index).getDescription());
+ Assert.assertEquals(expectedRangerPolicies.get(index).getPolicyType(),
+ actualRangerPolicies.get(index).getPolicyType());
+ Assert.assertEquals(expectedRangerPolicies.get(index).getResources().size(),
+ actualRangerPolicies.get(index).getResources().size());
+ Assert.assertEquals(expectedRangerPolicies.get(index).getResources().size(),
+ actualRangerPolicies.get(index).getResources().size());
+ RangerPolicy.RangerPolicyResource expectedRangerPolicyResource = expectedRangerPolicies.get(index)
+ .getResources().get("database");
+ RangerPolicy.RangerPolicyResource actualRangerPolicyResource = actualRangerPolicies.get(index)
+ .getResources().get("database");
+ Assert.assertEquals(expectedRangerPolicyResource.getValues().size(),
+ actualRangerPolicyResource.getValues().size());
+ for (int resourceIndex = 0; resourceIndex < expectedRangerPolicyResource.getValues().size(); resourceIndex++) {
+ Assert.assertEquals(actualRangerPolicyResource.getValues().get(index),
+ targetName);
+ }
+ }
+ }
+
+ private void assertEqualsRangerPolicies(List<RangerPolicy> expectedRangerPolicies,
+ List<RangerPolicy> actualRangerPolicies, String sourceName) {
+ Assert.assertEquals(expectedRangerPolicies.size(), actualRangerPolicies.size());
+ for (int index = 0; index < expectedRangerPolicies.size(); index++) {
+ Assert.assertEquals(expectedRangerPolicies.get(index).getName(), actualRangerPolicies.get(index).getName());
+ Assert.assertEquals(expectedRangerPolicies.get(index).getService(), actualRangerPolicies.get(index).getService());
+ Assert.assertEquals(expectedRangerPolicies.get(index).getDescription(),
+ actualRangerPolicies.get(index).getDescription());
+ Assert.assertEquals(expectedRangerPolicies.get(index).getPolicyType(),
+ actualRangerPolicies.get(index).getPolicyType());
+ Assert.assertEquals(expectedRangerPolicies.get(index).getResources().size(),
+ actualRangerPolicies.get(index).getResources().size());
+ Assert.assertEquals(expectedRangerPolicies.get(index).getResources().size(),
+ actualRangerPolicies.get(index).getResources().size());
+ RangerPolicy.RangerPolicyResource expectedRangerPolicyResource = expectedRangerPolicies.get(index)
+ .getResources().get("database");
+ RangerPolicy.RangerPolicyResource actualRangerPolicyResource = actualRangerPolicies.get(index)
+ .getResources().get("database");
+ Assert.assertEquals(expectedRangerPolicyResource.getValues().size(),
+ actualRangerPolicyResource.getValues().size());
+ for (int resourceIndex = 0; resourceIndex < expectedRangerPolicyResource.getValues().size(); resourceIndex++) {
+ Assert.assertEquals(expectedRangerPolicyResource.getValues().get(index),
+ actualRangerPolicyResource.getValues().get(index));
+ Assert.assertEquals(actualRangerPolicyResource.getValues().get(index),
+ sourceName);
+ }
+ }
+ }
}