You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/04/28 04:38:04 UTC
[ranger] branch ranger-2.2 updated: RANGER-3252:Inconsistent
behavior in Ranger Role authorization within same hive beeline session
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 4f1785a RANGER-3252:Inconsistent behavior in Ranger Role authorization within same hive beeline session
4f1785a is described below
commit 4f1785a79aabb6314f6e241ecc8f76c7f4eda0e4
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Mon Apr 26 22:37:50 2021 -0700
RANGER-3252:Inconsistent behavior in Ranger Role authorization within same hive beeline session
Signed-off-by: Ramesh Mani <rm...@cloudera.com>
---
.../hive/authorizer/RangerHiveAuthorizer.java | 32 +++++++++++++++++-----
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 5bd5c2d..e145ea2 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -717,7 +717,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
- Set<String> roles = getCurrentRoles();
+ Set<String> roles = getCurrentRolesForUser(user, groups);
if(LOG.isDebugEnabled()) {
LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, context, sessionContext));
@@ -1059,7 +1059,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
- Set<String> roles = getCurrentRoles();
+ Set<String> roles = getCurrentRolesForUser(user, groups);
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("filterListCmdObjects: user[%s], groups[%s], roles[%s] ", user, groups, roles));
}
@@ -1252,7 +1252,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
- Set<String> roles = getCurrentRoles();
+ Set<String> roles = getCurrentRolesForUser(user, groups);
HiveObjectType objectType = HiveObjectType.TABLE;
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName);
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
@@ -1293,7 +1293,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
- Set<String> roles = getCurrentRoles();
+ Set<String> roles = getCurrentRolesForUser(user, groups);
HiveObjectType objectType = HiveObjectType.COLUMN;
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
@@ -2929,9 +2929,27 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
}
+ private Set<String> getCurrentRolesForUser(String user, Set<String> groups) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerHiveAuthorizer.getCurrentRolesForUser()");
+ }
+
+ Set<String> ret = hivePlugin.getRolesFromUserAndGroups(user, groups);
+
+ if (CollectionUtils.isNotEmpty(ret) && CollectionUtils.isNotEmpty(currentRoles) && ret.containsAll(currentRoles)) {
+ ret = currentRoles;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerHiveAuthorizer.getCurrentRolesForUser() User: " + currentUserName + ", User Roles: " + ret);
+ }
+
+ return ret;
+ }
+
private Set<String> getCurrentRoleNamesFromRanger() throws HiveAuthzPluginException {
if (LOG.isDebugEnabled()) {
- LOG.debug("RangerHiveAuthorizer.getCurrentRoleNamesFromRanger()");
+ LOG.debug("==> RangerHiveAuthorizer.getCurrentRoleNamesFromRanger()");
}
boolean result = false;
UserGroupInformation ugi = getCurrentUserGroupInfo();
@@ -2946,7 +2964,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
if (LOG.isDebugEnabled()) {
- LOG.debug("<== getCurrentRoleNamesFromRanger() for user " + user +", userGroups: " + groups);
+ LOG.debug("==> RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user " + user + ", userGroups: " + groups);
}
Set<String> userRoles = new HashSet<String>(getRolesforUserAndGroups(user, groups));
for (String role : userRoles) {
@@ -2966,7 +2984,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
auditHandler.flushAudit();
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user: " + user + ", roleNames: " + ret);
+ LOG.debug("<== RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user: " + user + ", userGroups: " + groups + ", roleNames: " + ret);
}
return ret;
}