This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 4f1785a RANGER-3252:Inconsistent behavior in Ranger Role
authorization within same hive beeline session
4f1785a is described below
commit 4f1785a79aabb6314f6e241ecc8f76c7f4eda0e4
Author: Ramesh Mani <[email protected]>
AuthorDate: Mon Apr 26 22:37:50 2021 -0700
RANGER-3252:Inconsistent behavior in Ranger Role authorization within same
hive beeline session
Signed-off-by: Ramesh Mani <[email protected]>
---
.../hive/authorizer/RangerHiveAuthorizer.java | 32 +++++++++++++++++-----
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 5bd5c2d..e145ea2 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -717,7 +717,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext =
getHiveAuthzSessionContext();
String user =
ugi.getShortUserName();
Set<String> groups =
Sets.newHashSet(ugi.getGroupNames());
- Set<String> roles =
getCurrentRoles();
+ Set<String> roles =
getCurrentRolesForUser(user, groups);
if(LOG.isDebugEnabled()) {
LOG.debug(toString(hiveOpType, inputHObjs,
outputHObjs, context, sessionContext));
@@ -1059,7 +1059,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext =
getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups =
Sets.newHashSet(ugi.getGroupNames());
- Set<String> roles = getCurrentRoles();
+ Set<String> roles = getCurrentRolesForUser(user,
groups);
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("filterListCmdObjects:
user[%s], groups[%s], roles[%s] ", user, groups, roles));
}
@@ -1252,7 +1252,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext =
getHiveAuthzSessionContext();
String user =
ugi.getShortUserName();
Set<String> groups =
Sets.newHashSet(ugi.getGroupNames());
- Set<String> roles =
getCurrentRoles();
+ Set<String> roles =
getCurrentRolesForUser(user, groups);
HiveObjectType objectType =
HiveObjectType.TABLE;
RangerHiveResource resource = new
RangerHiveResource(objectType, databaseName, tableOrViewName);
RangerHiveAccessRequest request = new
RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(),
HiveAccessType.SELECT, context, sessionContext);
@@ -1293,7 +1293,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
HiveAuthzSessionContext sessionContext =
getHiveAuthzSessionContext();
String user =
ugi.getShortUserName();
Set<String> groups =
Sets.newHashSet(ugi.getGroupNames());
- Set<String> roles =
getCurrentRoles();
+ Set<String> roles =
getCurrentRolesForUser(user, groups);
HiveObjectType objectType =
HiveObjectType.COLUMN;
RangerHiveResource resource = new
RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
RangerHiveAccessRequest request = new
RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(),
HiveAccessType.SELECT, context, sessionContext);
@@ -2929,9 +2929,27 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
LOG.info("Current user : " + currentUserName + ", Current Roles
: " + currentRoles);
}
+ private Set<String> getCurrentRolesForUser(String user, Set<String>
groups) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerHiveAuthorizer.getCurrentRolesForUser()");
+ }
+
+ Set<String> ret = hivePlugin.getRolesFromUserAndGroups(user,
groups);
+
+ if (CollectionUtils.isNotEmpty(ret) &&
CollectionUtils.isNotEmpty(currentRoles) && ret.containsAll(currentRoles)) {
+ ret = currentRoles;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerHiveAuthorizer.getCurrentRolesForUser() User: " + currentUserName + ",
User Roles: " + ret);
+ }
+
+ return ret;
+ }
+
private Set<String> getCurrentRoleNamesFromRanger() throws
HiveAuthzPluginException {
if (LOG.isDebugEnabled()) {
-
LOG.debug("RangerHiveAuthorizer.getCurrentRoleNamesFromRanger()");
+ LOG.debug("==>
RangerHiveAuthorizer.getCurrentRoleNamesFromRanger()");
}
boolean result = false;
UserGroupInformation ugi = getCurrentUserGroupInfo();
@@ -2946,7 +2964,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
RangerHiveAuditHandler auditHandler = new
RangerHiveAuditHandler();
try {
if (LOG.isDebugEnabled()) {
- LOG.debug("<== getCurrentRoleNamesFromRanger()
for user " + user +", userGroups: " + groups);
+ LOG.debug("==>
RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user " + user + ",
userGroups: " + groups);
}
Set<String> userRoles = new
HashSet<String>(getRolesforUserAndGroups(user, groups));
for (String role : userRoles) {
@@ -2966,7 +2984,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
auditHandler.flushAudit();
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user: " + user + ",
roleNames: " + ret);
+ LOG.debug("<==
RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user: " + user + ",
userGroups: " + groups + ", roleNames: " + ret);
}
return ret;
}
