You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "peng bo (JIRA)" <ji...@apache.org> on 2019/01/30 08:55:00 UTC

[jira] [Commented] (RANGER-2329) [Hive Plugin] show databases denied although user has access to some databases

    [ https://issues.apache.org/jira/browse/RANGER-2329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16755869#comment-16755869 ] 

peng bo commented on RANGER-2329:
---------------------------------

My fix is to remove the according code.

a. the logic doesn't seem to be right,  require no database equals to all
b. Grant scenario seems to already add '*' in case of empty. 
{code:java}
String database = StringUtils.isEmpty(resource.getDatabase()) ? "*" : resource.getDatabase();
String table    = StringUtils.isEmpty(resource.getTable()) ? "*" : resource.getTable();
String column   = StringUtils.isEmpty(resource.getColumn()) ? "*" : resource.getColumn();
{code}




> [Hive Plugin] show databases denied although user has access to some databases
> ------------------------------------------------------------------------------
>
>                 Key: RANGER-2329
>                 URL: https://issues.apache.org/jira/browse/RANGER-2329
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 1.0.0, 1.2.0
>            Reporter: peng bo
>            Priority: Major
>              Labels: patch
>             Fix For: 1.0.0
>
>         Attachments: RANGER-2329.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> a. assign select permission to user1 for database A with table * and hive Column *
> b. login user1 by beeline 
> c. type 'show databases', error shows 
> Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hadoop] does not have [USE] privilege on [*] (state=42000,code=40000)
> The cause:
> It seems to be a regression introduced by [RANGER-1766|https://issues.apache.org/jira/browse/RANGER-1766]: 
> {code:java}
> public class RangerHiveResource extends RangerAccessResourceImpl {
> 	public RangerHiveResource(HiveObjectType objectType, String databaseorUrl, String tableOrUdf, String column) {
>             case DATABASE:
> +                if (databaseorUrl == null) {
> +                   databaseorUrl = "*";
> +                }
> {code}
> This code applies on "show databases" as well which prevents the according RangerPolicyEvaluator from being returned.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)